We have an application which provides sso authentication. three other applications get authenticated from sso application. Once user get logged into all application, I initiated a sso logout. sso app send logout request to app1 and then app1 respond with SAML logout response.Once sso app received SAML logout response, it will send a logout request to app2 and then app3. Some times this whole flow works fine and sometime not.I have seen that when app2/app3/app1 is responding, sso application authentication cookies got disappeared from browser and that request becomes unautneticated for sso app and user is not able to logout from all applications.Authentication middleware:services.AddAuthentication(options => { options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme; }) .AddCookie(options => { options.Cookie.Name = ".federation_user_authentication"; options.Cookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.None; options.Cookie.Path = "/"; options.Cookie.IsEssential = true; options.ExpireTimeSpan = TimeSpan.FromMinutes( Convert.ToDouble( systemParamsCollection[nameof(JwtTokenVerificationParameterModel.ValidFor)])); options.Cookie.SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.None; if (Convert.ToBoolean(configuration["IsCloudDeployment"])) { options.Cookie.SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always; // Cookie/sso login will not work on localhost. because it is on http } });Could you let me know what is reason and why authentication cookie got disappeared after 2-3 times redirection between apps ? 解决方案 The reason is probably browser cookie security.If the cookie security is configured with SameSite=Strict a browser will not send a cookie to the server on one domain if the call originates from another domain.If the cookie security is SameSite=Lax GET and POST calls is treated differently. During GET calls the browser will let the cookies get through. But on POST calls the browser will not send a cookie to the server on one domain if the call originates from another domain.More info https://en.wikipedia.org/wiki/HTTP_cookie 这篇关于.NetCore 身份验证 cookie 在所有请求中都不是持久性的 [Inermittent 问题]的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持! 上岸,阿里云! 08-23 13:42