SameSite Cookie login troubleshooting

 We will use network tab to capture redirect request when logging in to found the root cause

  • F12 to open developer console and switch to Network tab
  • Login to the Commerce Manger site
=> We would focus on the request that has Status 302 and Initiator CommerceManager.aspx
  • Click on that request and switch to Cookies tab
=> Response Cookie is yellow mean it has been blocked and that is why it keep showing you the login page 🙂
Obviously, as it's blocked, no cookies have been used for the next request
  • So how do we resolve it, we saw 2 exclamation mark in columns Secure and SamesSite, just hover on it and there will be a hint to solve :v
  • When hover on SameSite exclamation mark, there will be a message "This Set-Cookie didn't specify a "SameSite" attribute and was defaulted to "SameSite=Lax", and was blocked because it came from a cross-site response which was not the response to top-level navigation. The Set-Cookie had to have been set with "SameSite=None" to enable cross-site usage"
=> the fix adding cookieSameSite="None" and this rewrite rules to the web.config
<system.webServer>


<rewrite>


      <outboundRules>


        <rule name="Add SameSiteNone">


          <match serverVariable="RESPONSE_Set_Cookie" pattern=".+" />


          <conditions>


            <add input="{R:0}" pattern="; SameSite=None" negate="true" />


          </conditions>


          <action type="Rewrite" value="{R:0}; SameSite=None" />


        </rule>


      </outboundRules>


</rewrite>


</system.webServer>
  • The result is better now, SameSite is None but got a new message "This Set-Cookie was blocked because it had the "SameSite=None" attribute but did not have the "Secure" attribure "
=> the fix is adding requireSSL = true and this rewrite rules to the web.config:
<system.webServer>


<rewrite>


      <outboundRules>


        <rule name="Add SameSiteNone">


          <match serverVariable="RESPONSE_Set_Cookie" pattern=".+" />


          <conditions>


            <add input="{R:0}" pattern="; SameSite=None" negate="true" />


          </conditions>


          <action type="Rewrite" value="{R:0}; SameSite=None" />


        </rule>


        <rule name="Add Secure">


          <match serverVariable="RESPONSE_Set_Cookie" pattern=".+" />


          <conditions>


            <add input="{R:0}" pattern="; Secure" negate="true" />


          </conditions>


          <action type="Rewrite" value="{R:0}; Secure" />


        </rule>


      </outboundRules>


</rewrite>


</system.webServer>
  • Hola, only 1 exclamation mark left
=> The error "This Set-Cookie was blocked because it had the Secure attribute but was not received over a secure connection. This Set-Cookie was blocked because it was not sent over a secure connection and would have overwritten a cookie with the Secure attribute"
=> The fix is using https instead of http for Commerce Manager Link

Comments

Post a Comment

Popular posts from this blog

Optimizely Content Graph: minimal setup for testing

Image
 1. Create a test page: [ContentType(DisplayName = "Test Page", GUID = "462d1812-7385-42c3-8073-c1b7481e7b21", Description = "TestPage", AvailableInEditMode = true, GroupName = GroupNames.Content)] public class TestPage : PageData { [CultureSpecific] [UIHint(UIHint.Textarea)] [Display(Name = "Test", GroupName = SystemTabNames.Content, Order = 1)] public virtual string Test { get; set; } } 2. Add this in Startup services.AddContentGraph(configureOptions: options => { options.SynchronizationEnabled = false; options.Include.ContentTypes = new string[] { typeof(TestPage).Name, }; options.OnlySyncContentTypesInWhitelistToSchema = true; options.ContentVersionSyncMode = Optimizely.ContentGraph.Cms.Configuration.ContentVersionSyncMode.PublishedOnly; }); 3. Create a test page in UI    4. Run the index job again {      "took": 0,  ...
Read more

Episerver ServiceAPI: Example of how-to properly call the media upload

Image
For the example of how-to properly call the media upload, you can refer to my Postman collection: https://github.com/KhanhPham2411/EpiserverAPI_PostmanCollection/blob/main/ServiceAPI/ServiceAPI_Collections.json   For the detail steps: Copy the raw content to Postman: https://raw.githubusercontent.com/KhanhPham2411/EpiserverAPI_PostmanCollection/main/ServiceAPI/ServiceAPI_Collections.json   2. Get ServiceAPI NetCore Token   3. Post to Assets/Import Example media file: https://github.com/KhanhPham2411/EpiserverAPI_PostmanCollection/blob/main/ServiceAPI/01-CreateMediaWithBlob.zip 4. To verify your import is working, use that task id to get task log:      
Read more