0
$\begingroup$

I'm running a .NET framework 4.7.2 application using OWIN cookie authentication under IIS as a virtual application locally (e.g., https://example.test/cms/) but I end up in and endless redirect loop after I navigate to https://example.test/cms/ and logged in there. It validates the security token but the .AspNet.Cookies cookie does not seem to persist which causes an endless loop.

I configured the Redirect URI as https://example.test/cms/signin-oidc/ and I have a valid self-signed certificate for HTTPS. Am I missing something?

        public static void ConfigureAuthentication(IAppBuilder app)
        {
            var clientId = SsoConfig.Instance.ClientId;
            var authority = $"https://login.microsoftonline.com/{SsoConfig.Instance.TenantId}/v2.0";
            var redirectUri = SsoConfig.Instance.RedirectUri;

            var loggingCookieManager = new LoggingCookieManager();

            app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

            app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                CookieSecure = CookieSecureOption.Always,
                ExpireTimeSpan = TimeSpan.FromHours(1),
                CookiePath = "/cms",
                CookieManager = loggingCookieManager,
            });

            app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
            {
                CookieManager = loggingCookieManager,
                ClientId = clientId,
                Authority = authority,
                RedirectUri = redirectUri,
                ResponseType = OpenIdConnectResponseType.CodeIdToken,
                Scope = "openid profile email offline_access",
                TokenValidationParameters = new TokenValidationParameters
                {
                    ValidateIssuer = true
                },
                RequireHttpsMetadata = true,
                SignInAsAuthenticationType = CookieAuthenticationDefaults.AuthenticationType,
            });
        }

And my Cookie Manager is just a wrapper for debugging.

    public class LoggingCookieManager : ICookieManager
    {
        private readonly ICookieManager _inner;

        public LoggingCookieManager(ICookieManager inner = null)
        {
            _inner = inner ?? new CookieManager();
        }

        public string GetRequestCookie(IOwinContext context, string key)
        {
            var val = _inner.GetRequestCookie(context, key);
            Debug.WriteLine($"GetRequestCookie: {key} = {val}");
            return val;
        }

        public void AppendResponseCookie(IOwinContext context, string key, string value, CookieOptions options)
        {
            options.SameSite = Microsoft.Owin.SameSiteMode.None; // to make sure the cookie is sent in all contexts (cross-site)
            Debug.WriteLine($"AppendResponseCookie: {key} = {value}, Path={options.Path}, SameSite={options.SameSite}, Secure={options.Secure}");
            _inner.AppendResponseCookie(context, key, value, options);
        }

        public void DeleteCookie(IOwinContext context, string key, CookieOptions options)
        {
            Debug.WriteLine($"DeleteCookie: {key}");
            _inner.DeleteCookie(context, key, options);
        }
    }

I hoped the Cookie Manager wrapper gave me some more insights but it did not. It seemed to set the cookie correctly as .AspNet.Cookies=<cookie-value-here>; path=/cms; secure; HttpOnly; SameSite=None. But the next time it called GetRequestCookie at https://example.test/cms/ the cookie was null.

Improve this question
$\endgroup$
5
  • $\begingroup$ Are you really setting path=/cms, and invoke your app via https://example.test/myapp/? $\endgroup$ Commented Sep 30, 2025 at 7:34
  • $\begingroup$ @C3roe Yes I'm sure of that! $\endgroup$ Commented Oct 2, 2025 at 7:10
  • $\begingroup$ Well then it obviously can't work - you are saying the cookie is only valid for URL paths starting with /cms, but the URL path you are requesting starts with /myapp/. $\endgroup$ Commented Oct 2, 2025 at 7:22
  • $\begingroup$ @C3roe ah yes sorry I read your previous comment too quickly. I used this URL as an example. I am indeed using /cms, so I modified the post now. $\endgroup$ Commented Oct 2, 2025 at 11:35
  • $\begingroup$ What does the Set-Cookie header the browser receives look like? Any warnings about cookies in the console, any marked as having an issue in the dev tools cookie list? $\endgroup$ Commented Oct 2, 2025 at 11:57
Related questions
1359
How do I set/unset a cookie with jQuery?
334
The Web Application Project [...] is configured to use IIS. The Web server [...] could not be found.
282
How can I set cookie in node js using express framework?
Load 3 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.