Asp.net-core – Cookie not being set in iframe

asp.net-corec3.jscookiesidentityserver4iframe

I have an Identity Server (v4) on one server and a web application on a different server & domain. I only need windows authentication, and everything works fine with a redirect. However, I noticed that silent sign-in works if the cookie hasn't yet expired.

If the cookie has expired, a redirect is currently necessary which works fine. Unfortunately however, this would mean if there's data the user hasnt saved on the current screen they will loose it unless I implement a caching mechanism. Instead, I want to set a hidden iframe that simply navigates to the Identity Server, auto logs in if the user is inside the company infrastructure (which they always will be).

After hours of debugging I have found that while cookies are correctly sent from the iFrame, any that are SET don't seem to work – they are in chrome debugger as a response cookie, but are not sent along on the next redirect as request cookies and I dont know why.

On response:

Cookie Options: SameSite Lax, HTTP true, Secure true, Path /

Headers:

Content-Security-Policy: default-src 'self'; object-src 'none'; frame-src localhost:44388; frame-ancestors 'self'
https://localhost:44388/; sandbox allow-forms allow-same-origin
allow-scripts; base-uri 'self';

Persistent-Auth: true

Pragma: no-cache

Referrer-Policy: no-referrer

WWW-Authenticate: Negotiate oRswGaADCgEAoxIEEAEAAABJ+0p/zH0aeAAAAAA=

X-Content-Security-Policy: default-src 'self'; object-src 'none'; frame-src
**localhost:44388; frame-ancestors 'self' https://localhost:44388/; sandbox allow-forms allow-same-origin allow-scripts; base-uri 'self';

X-Content-Type-Options: nosniff

X-Frame-Options: ALLOW-FROM https://localhost:44388/

Best Answer

From August 2020 you have to set SameSite to None, and secure to True.

In php could be done with something like:

setcookie("variable", 1, time() + (86400), "/; SameSite=None; Secure");

In javascript will be similar after path option. document.cookie="cookiename="+0+";Domain=.yourdomain.net; path=/; SameSite=None; Secure"