Auth0 - Blazor - Login response cookie not set to Secure

Question

I am building a simple Blazor Server-side App. I followed the steps mentioned in the blog to setup Auth0 authentication. Things work fine as long as I am on localhost in debug mode.

The moment I published the app to the local IIS server, I started getting error the moment I clicked on the login button. On checking the windows event viewer, I noticed that the cookie sent by login was discarded and that threw an exception.

Before this, I can see a warning that says that the cookie has set SameSite=None and so it must set ‘Secure’.

I have since then tried multiple changes in the Program.cs to handle this but none of the settings worked.

Things that I have tried -

1. Adding the following setting -

    builder.Services.ConfigureApplicationCookie(options => {
    options.Cookie.SameSite = SameSiteMode.None;});
   

2. Adding a custom class to handle this situation as suggested in the blog - Thinktecture Both these work fine in localhost debug mode but give same error as above when deployed to local IIS.

And I have not enabled https redirect.

Any help to sort this out is very much appreciated!

Answer 1

What worked for me -

1. Enabled Https binding on IIS - IIS - Https Binding

2. Enabling https redirection in Program.cs

3. Adding https port in appsettings.json

Answer 2

I follow the blog you provided and I also find this issue. I have try a lot of method to solve it, but failed.

And I find sentence. Please note: The setting SameSite=None will only work if the cookie is also marked as Secure and requires a HTTPS connection. So the first method will not work.

After deployed the project and I find it works in IE, but not in Chrome or Edge. So I think it's not the code issue, it related with Broswer.

And the bad new is, we can't find Google Chrome 'SameSite by default cookies' and 'Cookies without SameSite must be secure' flags taken away after update v91.

Workaround

1. Use Https

2. Use IE