Browser ignores cookie if domain is set - asp.net

I need to share cookie between two web applications deployed on azure (eg. x1.azurewebsites.net, x2.azurewebsites.net)
I thought that all i need to do is to set a domain:
Response.Cookies.Add(new HttpCookie("TEST", "BLE")
{
Domain = "azurewebsites.net"
});
But its not working.
For test purposes I added:
Response.Cookies.Add(new HttpCookie("TEST2", "AQQ"));
And this one works ok - but its available only on x1.azurewebsites.net
So the question is whats wrong with the code above?
Is it possible to share cookie like this?
Maybe this is security issue? - i understand that every application hosted on azuerwebsites will have access to information stored in my cookie

I found my question similar to
Chrome34 ignores cookies with domain ".cloudapp.net"
So the cause of my issue is browser checks the publicsuffix.org list for domains and block cookies for security reasons.
For more info please see:
http://publicsuffix.org/

RFC2109 says, that explicit specified domains must start with a dot.
http://www.ietf.org/rfc/rfc2109.txt

Related

.NET Core 2.2 with Identity Server 4 SameSite Cookie Changes Issue

I have a Single page web application with consists of the following
Angular 8 Front End
.Net Core Web Api Back End
.Net Core Identity Server Authentication Server
I recently started to see a few warnings in my console which reads - "A cookie associated with a cross-site resource at "" was set without the 'SameSite' attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with 'SameSite=None' and 'Secure'.
So based upon this a did a little bit of research and landed on the following article, which happens to explain everything that is going on in detail.
Explanation of Cookie Issue
I read the article over several times and think I have a grasp of it, but still I am struggling on one simple aspect of it. There is a few areas where they ask you to add some code to your "Project". My question is (being still somewhat of a newbie with Identity Server and its inner workings), is what is the "Project" they are referring to. I am not exactly sure where to put the code they provide in order to fix the issue.
For me its not so obvious on where exactly to put the provided code. I have 2 Visual Studio solutions - one representing my authentication server (Identity Server) and one for my Web Api. Which of these solutions' Startup.cs files do I add the code solution?
If I add it to my Identity Server project, my confusion is that I am not using any "Cookie Based Authentication" so there exists nowhere in my identity server project which I have a place that sets a cookie and I know part of the solution, mentioned in the article, is to add a cookie which is both "Secure" and is set to "Same-Site=None". Where in the project do I create this type of cookie?
One more thing I did notice is that once the cookies are set they are not being deleted when a logout is performed.
Keep in mind that these issues are only occuring on a MacOS running Google Chrome. If I run my application on a Windows PC, I still see the warnings, but I am able to log out and clear all existing cookies
You will get below console warring in Google Chrome and your Identity server failed to redirect to Client that could be React App or Angular App for Chrome version 80.
A cookie associated with a resource at was set with SameSite=None but without Secure. It has been blocked, as Chrome now only delivers cookies marked SameSite=None if they are also marked Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5633521622188032.
To Fix this , you need to do changes mention in below link -
https://www.thinktecture.com/en/identity/samesite/prepare-your-identityserver/
NOTE : For .Net Core 2.2 , set SameSite = (SameSiteMode)(-1) , For .Net Core 3.0 or above , set SameSite = SameSiteMode.Unspecified
Also , for Chrome 80 version , add this extra condition -
if ( userAgent.Contains("Chrome/8"))
{
return true;
}
IdentityServer will always create cookie when you login.
You can read more here - http://docs.identityserver.io/en/3.1.0/topics/signin.html
It mean identityserver use cookie to authenticated user
You can configure same site cookie as follow
services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
.AddCookie("Cookies", options =>
{
options.Cookie.SameSite = SameSiteMode.Lax;
});

ACS - bypassing user redirection to IdP?

I have only recently been looking into ACS, AAL, WAAD and I would like to avoid redirecting users to the login page of their IDP. I want to keep my users within my site and present them with a dropdown to choose who they wish to authenticate with and an area to request a username and password, then acquire token via code. Is this possible?
I have been reviewing some sample applications and produce a quick mock-up, but cant seem to get things working e.g.
_authContext = new AuthenticationContext("https://littledeadbunny.accesscontrol.windows.net");
string enteredEmailDomain = UserNameTextbox.Text.Substring(UserNameTextbox.Text.IndexOf('#') + 1);
IList<IdentityProviderDescriptor> idpdList = _authContext.GetProviders("http://littledeadbunny.com/NonInteractive");
foreach (IdentityProviderDescriptor idpd in idpdList)
{
if (String.Compare(ServiceRealmDropDownList.SelectedValue, idpd.Name, StringComparison.OrdinalIgnoreCase) == 0)
{
Credential credential;
credential = new UsernamePasswordCredential(enteredEmailDomain, UserNameTextbox.Text, PasswordTextbox.Text);
_assertionCredential = _authContext.AcquireToken("http://littledeadbunny.com/NonInteractive", idpd, credential);
return;
}
}
Using the code above, when I try to use the Windows Azure Active Directory User (admin), i get the error "Data at the root level is invalid. Line 1, position 1." where I attempt to acquiretoken.
When I use Google, I get an error "0x8010000C: No identity provider matches the requested protocol".
If there is a working sample? if I am doing something obviously wrong, I would appreciate the correction.
This is not supported for passive identity providers. IdPs like Google, Facebook, etc. don't want other people collecting credentials for them, as this leads to security issues and possible phishing attacks. They also don't support it because they need to be able to show a permission dialog (that screen that asks the user if they want to release data to you) which they can't do without the browser redirecting to them. Furthermore, Google in particular supports two-factor auth, which you couldn't replicate, and generally collecting credentials opens up whole cans of worms around other UI problems such as incorrect or forgotten passwords.
This is also generally a bad user experience, because your users are fairly likely to already be logged in to Google and have cookies there. If so, and if they've already consented to your app, they would just be silently redirected back to you. In your scenario, even if the user is already logged in they'd still have to provide a username/password.
The correct way to do these sorts of logins is to render a browser control in your app that allows the user to log in at their IdP, which is what AAL helps with.
I had the same error, executing a powerscript solved that error
PS C:\windows\system32> $replyUrl = New-MsolServicePrincipalAddresses
-Address https://mydomain.accesscontrol.windows.net/
PS C:\windows\system32> New-MsolServicePrincipal -ServicePrincipalNames
#("https://mydomain.accesscontrol.windows.net/") -DisplayName
"MyDomain Namespace" -Addresses $replyUrl
But i'm stuck anyway with a 403 permission error
If you get any further i would like to know how :)

Strange behavior on cookie domain

Background:
AspNet web app / C# 3.5
IIS7
VS 2010
Windows 7
When user is authenticated, we create a cookie, this way:
var cookieASP = FormsAuthentication.GetAuthCookie(user.Id, true);
cookieASP.Domain = "x.y.local";
Yes, domain is hard coded for this example.
Using cookies viewer extensions in Firefox 11, I can see that domain of cookie is : .x.y.local, with a leading .. I know that it allows shared cookie between w.x.y.local and q.x.y.local. Ok.
But, when user clicks on disconnect, he is not kicked out...
var cookieAsp = System.Web.Security.FormsAuthentication.GetAuthCookie(u.Identifiant, true);
cookieAsp.Expires = DateTime.Now.AddDays(-10);
Response.Cookies.Set(cookieAsp);
FormsAuthentication.SignOut();
And with debugger we can see that cookieAsp.Domain is null. And cookie is not removed from browser's cookies.
If I edit cookie domain (directly from browser), and set its domain to x.y.local without the leading ., cookie is deleted and user disconnected.
I don't understand why this . is added, and why it is not well understand by the browser.
EDIT (major importance I guess): we are doing such way because if we don't set domain, then IE8 (only 8) can't understand our cookie...
When you want to remove a cookie, you have to specify the cookie with the exact domain of the cookie you want to remove. The cookies domain is not sent by the browser on a request, so you will always get a null value when you try to inspect it within a debugger session.
So before Response.Cookies.Set(cookieAsp); add cookieASP.Domain = "x.y.local";.

How to use SharpSVN in ASP.NET?

Trying to use use SharpSVN in an ASP.NET app. So far, it's been nothing but trouble. First, I kept getting permission errors on "lock" files (that don't exist), even though NETWORK SERVICE has full permissions on the directories. Finally in frustration I just granted Everyone full control. Now I get a new error:
OPTIONS of 'https://server/svn/repo': authorization failed: Could not authenticate to server: rejected Basic challenge (https://server)
This happens whether I have the DefaultCredentials set below or not:
using (SvnClient client = new SvnClient())
{
//client.Authentication.DefaultCredentials = new System.Net.NetworkCredential("user", "password");
client.LoadConfiguration(#"C:\users\myuser\AppData\Roaming\Subversion");
SvnUpdateResult result;
client.Update(workingdir, out result);
}
Any clues? I wish there was SOME documentation with this library, as it seems so useful.
The user you need to grant permission is most likely the ASPNET user, as that's the user the ASP.NET code runs as by default.
ASPNET user is a local account, preferably youd'd want to run this code in an Impersonate block, using a network account set up for this specific reason

ASP Net - Forms Authentication with Active Directory Problem

I have an error...
The container specified in the connection string does not exist
Basically, I am using Active Directory authentication in ASP.NET.
I have set up my connection string.
I am still very new to AD.
I appritate any help
thanks
You'll probably be better off specifying the root NC name in your connection.
LDAP://YourADServer/DC=cene,DC=edc,DC=CompName,DC=com
Unless there is a good reason why you don't want searches to be done domain-wide, I'd set it up like that.
You can try ldp.exe to connect to the AD server you have specified in the path and see if that works
One thing you might want to be aware of is that Active Directory and Forms Authentication are not the same thing. You will use one or the other to Authenticate and Authorize.
I think your LDAP string should be formatted thus:
"LDAP://DCServer.BUSINESSPLUSPLUS.com/CN=Users,DC=BUSINESSPLUSPLUS,DC=com"

Resources