Skip to content

Antiforgery issue when hosted in AWS ECS #168

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
drond opened this issue Jan 10, 2024 · 3 comments
Open

Antiforgery issue when hosted in AWS ECS #168

drond opened this issue Jan 10, 2024 · 3 comments

Comments

@drond
Copy link

drond commented Jan 10, 2024

Hello!

I'm using steam auth in my app (.NET 8 Blazor ssr app) and came across the issue - when running localy (pure dotnet or doker) everything goes well Auth working as expected, but once I've published my App into AWS ECS cluster it stopped working.

Looks like there is some issue with Antiforgery cookies:

  • '.AspNetCore.Correlation.**********' cookie not found.
  • Error from RemoteAuthentication: The authentication response was rejected because the anti-forgery token was invalid.

Maybe you could help with solving that as I'm totally exhausted with googling anything related to that issue :(

PS Meanwhile deployed my app (kinda just an pure API with steam auth) into DigitalOcean and it works... but not in AWS
@martincostello
Copy link
Member

  • Where are you storing your data protection keys? It could be that they're not being stored in a shared location that all the ECS pods can access so don't agree on all the settings. Documentation
  • Have you configured HTTP forwarded headers to be trusted appropriately so that things like whether the request is over HTTPS are honoured? It could be that things aren't being trusted correctly, so the app things requests are over HTTP instead of HTTPS, so cookies get "lost". Documentation.

@AndreiShirmanov
Copy link

  • Where are you storing your data protection keys? It could be that they're not being stored in a shared location that all the ECS pods can access so don't agree on all the settings. Documentation
  • Have you configured HTTP forwarded headers to be trusted appropriately so that things like whether the request is over HTTPS are honoured? It could be that things aren't being trusted correctly, so the app things requests are over HTTP instead of HTTPS, so cookies get "lost". Documentation.

Thank you for rapid reaction

  1. there is a single pod within single service in ECS, and i even tried AWS solution that stores protection keys in shared systems manager.

  2. looks like this one i have to investigate a bit deeper, will take a look and get back to you

@drond
Copy link
Author

drond commented Jan 12, 2024

  • Where are you storing your data protection keys? It could be that they're not being stored in a shared location that all the ECS pods can access so don't agree on all the settings. Documentation
  • Have you configured HTTP forwarded headers to be trusted appropriately so that things like whether the request is over HTTPS are honoured? It could be that things aren't being trusted correctly, so the app things requests are over HTTP instead of HTTPS, so cookies get "lost". Documentation.

Soooo, after futher investigation I've noticed a warning in Chrome about attempt to set SECURE cookie over HTTP request (I didn't set up https yet). And in my cookie policy it was set to AlwaysSecure/SameSite.None. So i've changed config to SameAsRequest/SameSite.Lax and boom, done. Anyway thank you for your help )

PS I understand that using non-secure cookies is not a good idea, but so far so good, I don't have experience in setting up certificates etc :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@martincostello @drond @AndreiShirmanov