CMSAdminCookiesSameSiteNone still uses "Lax"

Claudio Bley asked on July 5, 2021 11:37

Hi.

We have some trouble with running the form builder in the admin app.

Our setup is a multi-domain environment, with admin and live app running on HTTPS.

We set CMSAdminCookiesSameSiteNone to true for both, the admin app in web.config and the live app in appsettings.json.

But, when trying to load the Form Builder from the admin app, we see the error message:

This page does not work properly as your browser may be blocking 3rd party cookies and/or the system may be incorrectly configured for a multi-domain environment. See our documentation for more information.

and the KenticoCookiePolicyCheck has this cookie:

KenticoCookiePolicyTest 
path    "/"
samesite    "Lax"
value   "413a9af1-9b38-43e9-810c-d333ff91556b"

which Firefox rejects with

Cookie “KenticoCookiePolicyTest” has been rejected because it is in a cross-site context and its “SameSite” is “Lax” or “Strict”.

The Form Builder also does not show up, there is this error:

InvalidVirtualContextException: Try reloading the administration interface. The user was not found in the JWT token, nor in the current virtual context URL.

    Kentico.Content.Web.Mvc.VirtualContextPrincipalRetriever.GetPrincipal(string jwtToken)
    Kentico.Content.Web.Mvc.VirtualContextRequestPrincipalRetriever.Retrieve(HttpRequest request)
    Kentico.Web.Mvc.AuthenticationHandler.HandleAuthenticateAsync()
    Microsoft.AspNetCore.Authentication.AuthenticationHandler<TOptions>.AuthenticateAsync()
    Microsoft.AspNetCore.Authentication.AuthenticationService.AuthenticateAsync(HttpContext     context, string scheme)
    Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
    Microsoft.AspNetCore.Session.SessionMiddleware.Invoke(HttpContext context)
    Microsoft.AspNetCore.Session.SessionMiddleware.Invoke(HttpContext context)
    Kentico.Content.Web.Mvc.ContentOutputMiddleware.InvokeAsync(HttpContext context)
    Kentico.Web.Mvc.KenticoRequestLocalizationMiddleware.InvokeAsync(HttpContext context)
    Kentico.Content.Web.Mvc.PageRedirectionContextMiddleware.InvokeAsync(HttpContext context)
    Kentico.Web.Mvc.KenticoRequestEventsMiddleware.InvokeAsync(HttpContext context)
    Microsoft.AspNetCore.Diagnostics.StatusCodePagesMiddleware.Invoke(HttpContext context)
    Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)

What does this mean? How can we fix this?

Thanks!

Correct Answer

Juraj Ondrus answered on July 7, 2021 14:17

There was a bug fixed in one of the recent hotfixes with the same symptoms. Have you also updated the NuGet package in your Core app and clear the entire browser cache?

0 votesVote for this answer Unmark Correct answer

Recent Answers

Claudio Bley answered on July 5, 2021 13:39 (last edited on July 5, 2021 14:28)

Also, I noticed the same message for the CMSVirtualContextIdentity cookie:

Cookie “CMSVirtualContextIdentity” has been rejected because it is in a cross-site context and its “SameSite” is “Lax” or “Strict”.

edit: Now, using kenticoServiceCollection.SetAdminCookiesSameSiteNone(); in the live app (.net core 3.1) makes this actually work. Why is the application setting not taken into account here?

FTR, we are running xperience 13.0.32.

0 votesVote for this answer Mark as a Correct answer

Claudio Bley answered on July 8, 2021 08:39

Have you also updated the NuGet package in your Core app

Yes, we are using:

<PackageReference Include="Kentico.Xperience.AspNetCore.WebApp" Version="13.0.32" />

and clear the entire browser cache?

No, I did not clear the entire browser cache. I opened the dev tools and have the "disable cache" checkbox enabled and tested on different systems.

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.