We are experiencing a persistent looping behavior in the login process

Questions
1

We are encountering a login looping issue during the authentication process integrated with Okta. The problem is browser-specific: while Firefox works without issues, Chrome consistently experiences a redirect loop, and Edge shows intermittent behavior. The issue appears related to the session cookie (ASP.NET_SessionId) attributes. Despite manually setting SameSite=None with Secure=true, the cookie defaults to SameSite=Lax, which may conflict with cross-origin authentication flows. Steps taken include disabling caching, adjusting cookie attributes, and verifying redirect URLs, but the issue persists. Guidance on resolving this browser-specific inconsistency is needed.

2

Enforce HTTPS and Secure Cookie Settings

Ensure that all website traffic is served over HTTPS to prevent authentication and cookie handling issues.

Startup.cs Configuration

Use the following in ConfigureServices or Configure:

services.AddAuthentication("Cookies")
    .AddCookie(options =>
    {
        options.Cookie.SameSite = SameSiteMode.None;
        options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
        options.Cookie.IsEssential = true;
    });

web.config Settings

Add the following to enforce secure cookies:

<system.web>
  <sessionState cookieSameSite="None" />
  <httpCookies requireSSL="true" />
</system.web>

Check if this fixes it?

1 Like
3

Thank you for providing the recommended steps to enforce HTTPS and configure secure cookie settings. I appreciate the detailed suggestions.

However, our application currently runs on .NET Framework 4.5, which limits our ability to implement certain features like SameSite cookie handling directly using the methods available in later frameworks or .NET Core. While the Cookie.SameSite and Cookie.SecurePolicy configurations are not natively supported, I have implemented the following steps:

  1. Enforcing HTTPS:
    HTTPS is enforced in production via our web.config file, ensuring secure cookie transport.
  2. Secure Cookies:
    Secure cookies are configured using <httpCookies requireSSL="true" /> in the web.config.
  3. Custom SameSite Handling:
    A custom HTTP module has been implemented to manually set the SameSite=None attribute for cookies, as this attribute is not natively supported in .NET Framework 4.5.

Please let me know if there are additional steps you recommend for ensuring compatibility with modern browser requirements and Okta’s authentication flow.

4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.