I have two microservices. One is for identity. I am trying to set auth cookie and I have this middleware:
app.UseCookiePolicy(new CookiePolicyOptions
{
MinimumSameSitePolicy = SameSiteMode.None,
Secure = CookieSecurePolicy.None,
HttpOnly = Microsoft.AspNetCore.CookiePolicy.HttpOnlyPolicy.None
});
And also this service:
services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
.AddCookie(options =>
{
options.Cookie.HttpOnly = true;
options.Cookie.SameSite = SameSiteMode.None;
options.Cookie.SecurePolicy = CookieSecurePolicy.None;
options.Cookie.IsEssential = true;
});
And also browser throws this warning:
So I want to know if it is possible or not to set cookie not over HTTPS ???
CodePudding user response:
You need to set the cookie over Https, otherwise it will not work.
This is because the Samesite cookie functionality requires that it is done over HTTPs when the cookies reaches the browser.
see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
That says:
Cookies with SameSite=None must now also specify the Secure attribute (they require a secure context/HTTPS).