Beware of SameSite cookie policy in ASP.NET Core and upcoming iOS 12

I have recently stumbled across a bug in iOS 12 preview which sort of breaks existing sites which make use of OpenID Connect middleware in ASP.NET Core 2.1.

As iOS is coming closer to release, I decided to install it on my iPad for testing. After trying to access some our company’s internal sites I always ended up in a redirect loop – basically AAD > site > AAD > site etc. – unending.

After doing some research and borrowing my friend’s MacBook for debugging the browser in iOS – I noticed that the browser was not persisting cookies from our site. After going a bit further, I also tried other sites – Microsoft’s https://admin.teams.microsoft.com for example which ended up with the same issue.

After that, I have done some research with the cookie configuration and the result has surfaced – the SameSite policy in Cookie Authentication middleware! The default configuration of Cookie Authentication’s cookie is setting it to lax which means that the browser will not accept cookies from the site if it was redirected by POST request to it.

SameSite policy is another measure at the browser’s level to fight CSRF attacks. So now since we have the root cause, what can we do about it?

In order for your ASP.NET Core 2.1 application to work with iOS 12, you need to configure CookiePolicyOptions along with the Cookie.SameSite policy as well:

After that, your site is going to work again on iOS 12 again. I went to make some research and found out that other major browsers implement the SameSite cookie policy as well, however I couldn’t reproduce the same issue there. Which made me wonder whether they are doing some sort of magic there or something is broken in iOS 12 so I went ahead and submitted a bug report to WebKit. After couple of hours of waiting, Apple engineers reachead out and I provided them with credentials to reproduce the issue.

So far, I haven’t heard back from them yet, however this issue is still present in iOS 12 Developer Preview 11 as of now. I am going to update this post if new info becomes available.

Author: Jan Hajek

I am Honza, hi.

4 thoughts on “Beware of SameSite cookie policy in ASP.NET Core and upcoming iOS 12”

  1. Thanks for writing this up! After running into the same issue, I went down a rabbit hole trying to see if the issue was related to ITP 2.0, and came up with nothing.

    Disabling the SameSite property is a quick (but less secure) fix. Hopefully the WebKit folks can prioritize this issue and resolve it soon.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.