Location: Kirby Cane (9 / NR35 2PR)
+44 7787 872860
david@coderslament.uk

Forum

In the round trip of life knowledge and honesty gets you complete

Please or Register to create posts and topics.

[Authorize] Attribute returning "Not Authorised" even when logged in successfully / ASP.NET Core 5.0 / iFrame

Dear Reader

I spent about 1 week working on the problem described in the subject. It was a make or break moment for me as the iFrame methodology of the project was central to the way things worked. Note: The description of the solution should really only be used with iFrames containing the .NET program as SameSite.None, I think, would mostly be used in that situation...

Note: The whole fraught week was well work the time as I found about 5 other areas of code that needed changing (bugs if you like), and correcting that I might not have noticed for some time.

So there are three parts to the code changes that I made to make this work. The following exist in the startup.cs file of the Core 5 project.

loServices.Configure<CookiePolicyOptions>(options =>
{
    options.CheckConsentNeeded = context => true;
    options.MinimumSameSitePolicy = SameSiteMode.None;
    options.HttpOnly = Microsoft.AspNetCore.CookiePolicy.HttpOnlyPolicy.None;
    options.Secure = CookieSecurePolicy.Always;
    options.ConsentCookie.Name = "NameHidden";
});
loServices.AddAuthorization(options =>
{
    options.AddPolicy("RequireAuthentication", policy => policy.RequireAuthenticatedUser());
});
loServices.AddAuthentication(options =>
{
    options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
});
loServices.ConfigureApplicationCookie(options =>
{
    options.Cookie.Name = "NameHidden";
    options.Cookie.SameSite = SameSiteMode.None;
    options.Cookie.HttpOnly = true;
    options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
    options.LoginPath = "/Shared/MethodHidden";
});

Points to note:

  1. HttpOnly = true
  2. SameSiteMode.None
  3. Always Secure

Note I read that for cookies to work in a X-site script iFrame they needed to be 1. Secure 2. SameSite.None or they would not be visible, or readable.

I hope this post is of use.

KR

David

 

 

David A Robertson, aka hkdave95 (Cheesy Chilli Chocci Dave) JADER Ltd