C#C
C#3y ago
Qu-nii-sama

❔ RefreshToken and Cookies

Hi I have a bug i can't quite figure out.

I am trying to persist a refresh token as a cookie on the client.

When developing locally I see the refresh token in the application tab ---> cookies

but when I inspect the same tab in production I can't see the key-value pair for the refresh token.

backend and frontend is both on https
cookieoptions httpflag and secure are set to true.
samesite to none

The http call for login where the refresh token is issued have the withCrendentials set to true.

The Cors is also set to AllowCredentials()

When i login in production environment i see the refreshToken cookie in the response header.
but not in the application tab -> cookies.

but the follow sub request i see the refreshtoken in the request header.

How do i get the refresh token to appear in the application tab -> cookies 

    public static void AddCorsExtension(this IServiceCollection services )
    {
        var myAllowSpecificOrigins = "_myAllowSpecificOrigins";
        
        services.AddCors(options =>
        {
            options.AddPolicy(name: myAllowSpecificOrigins,
                              policy  =>
                              {
                                  policy.WithOrigins(MyAppData.Configuration["AllowedOrigins:Production"] ?? throw new InvalidOperationException(),
                                                     MyAppData.Configuration["AllowedOrigins:Https"] ?? throw new InvalidOperationException(),
                                                     MyAppData.Configuration["AllowedOrigins:Staging"] ?? throw new InvalidOperationException(),
                                                     MyAppData.Configuration["AllowedOrigins:Dev"] ?? throw new InvalidOperationException())
                                        .AllowAnyHeader()
                                        .AllowAnyMethod()
                                        .AllowCredentials();
                              });
        });
    }


The next method is part of login endpoint 
    private void SetRefreshTokenCookie(string newRefreshToken)
    {
        var refreshTokenCookieOptions = new CookieOptions
        {
            HttpOnly = true,              // Prevent XSS
            Secure   = true,              // Set to true to ensure cookies only sent over https
            SameSite = SameSiteMode.None, // Use none because of 3-Tier architecture - different domains 
            Expires  = DateTime.UtcNow.AddDays(int.Parse(_configuration["JWT:RefreshTokenValidityInDays"])),
            Path     = "/",
        };
        
        _httpContextAccessor.HttpContext?.Response.Cookies.Append("RefreshToken", newRefreshToken, refreshTokenCookieOptions);
    }


And lastly clientside code 
  login(payload: any) {
    console.log('login');
    return this.httpClient
      .post(`${this.url}${this.endpoint}/login`, payload, {
        observe: 'response',
        responseType: 'json',
        withCredentials: true,
      })
      .pipe(
        tap((response: HttpResponse<object>) => {
          this.handleAuthentication(response);
        })
      );
  }


I need that refreshToken to appear in the cookies in production
Was this page helpful?