[Authorize] Attribute returning "Not Authorised" even when logged in successfully / ASP.NET Core 5.0 / iFrame
Quote from dar on 01/12/2020, 03:10Dear Reader
I spent about 1 week working on the problem described in the subject. It was a make or break moment for me as the iFrame methodology of the project was central to the way things worked. Note: The description of the solution should really only be used with iFrames containing the .NET program as SameSite.None, I think, would mostly be used in that situation...
Note: The whole fraught week was well work the time as I found about 5 other areas of code that needed changing (bugs if you like), and correcting that I might not have noticed for some time.
So there are three parts to the code changes that I made to make this work. The following exist in the startup.cs file of the Core 5 project.
loServices.Configure<CookiePolicyOptions>(options => { options.CheckConsentNeeded = context => true; options.MinimumSameSitePolicy = SameSiteMode.None; options.HttpOnly = Microsoft.AspNetCore.CookiePolicy.HttpOnlyPolicy.None; options.Secure = CookieSecurePolicy.Always; options.ConsentCookie.Name = "NameHidden"; });loServices.AddAuthorization(options => { options.AddPolicy("RequireAuthentication", policy => policy.RequireAuthenticatedUser()); }); loServices.AddAuthentication(options => { options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme; }); loServices.ConfigureApplicationCookie(options => { options.Cookie.Name = "NameHidden"; options.Cookie.SameSite = SameSiteMode.None; options.Cookie.HttpOnly = true; options.Cookie.SecurePolicy = CookieSecurePolicy.Always; options.LoginPath = "/Shared/MethodHidden"; });Points to note:
- HttpOnly = true
- SameSiteMode.None
- Always Secure
Note I read that for cookies to work in a X-site script iFrame they needed to be 1. Secure 2. SameSite.None or they would not be visible, or readable.
I hope this post is of use.
KR
David
Dear Reader
I spent about 1 week working on the problem described in the subject. It was a make or break moment for me as the iFrame methodology of the project was central to the way things worked. Note: The description of the solution should really only be used with iFrames containing the .NET program as SameSite.None, I think, would mostly be used in that situation...
Note: The whole fraught week was well work the time as I found about 5 other areas of code that needed changing (bugs if you like), and correcting that I might not have noticed for some time.
So there are three parts to the code changes that I made to make this work. The following exist in the startup.cs file of the Core 5 project.
loServices.Configure<CookiePolicyOptions>(options => { options.CheckConsentNeeded = context => true; options.MinimumSameSitePolicy = SameSiteMode.None; options.HttpOnly = Microsoft.AspNetCore.CookiePolicy.HttpOnlyPolicy.None; options.Secure = CookieSecurePolicy.Always; options.ConsentCookie.Name = "NameHidden"; });
loServices.AddAuthorization(options => { options.AddPolicy("RequireAuthentication", policy => policy.RequireAuthenticatedUser()); }); loServices.AddAuthentication(options => { options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme; }); loServices.ConfigureApplicationCookie(options => { options.Cookie.Name = "NameHidden"; options.Cookie.SameSite = SameSiteMode.None; options.Cookie.HttpOnly = true; options.Cookie.SecurePolicy = CookieSecurePolicy.Always; options.LoginPath = "/Shared/MethodHidden"; });
Points to note:
- HttpOnly = true
- SameSiteMode.None
- Always Secure
Note I read that for cookies to work in a X-site script iFrame they needed to be 1. Secure 2. SameSite.None or they would not be visible, or readable.
I hope this post is of use.
KR
David