Expired cookie breaks Azure AD B2C auth (with Blazor and MSAL)
Hi all, is expired cookies management changed lately? Authentication doesn't work anymore in following use case. Question is all about FF for windows, while usually I'm on FF Android, Edge and Chrome for Windows and all these browsers are working correctly.
My working web app (static blazor wasm standalone) is interactively authenticating in Azure AD B2C using Microsoft.Authentication.WebAssembly.Msal library (like MSAL.js), API is an Azure Function protected through AAD B2C.
Login request successfully invokes Signin/Signup B2C flow with popup to myb2ctenant.b2clogin.com but breaks navigating to auth protected pages or backend apis.
From DevTools I see that every request to following b2c endpoints sets an expired cookie (expired 10 years before, year is now 2012):
When user clicks login: GET /myb2ctenant.onmicrosoft.com/b2c_1_sinsup/v2.0/.well-known/openid-configuration
Returning from login confirmation: GET /myb2ctenant.onmicrosoft.com/B2C_1_SInSUp/api/CombinedSigninAndSignup/confirmed?rememberMe=false&csrf_token=xxx
for example: Set-Cookie: x-ms-cpim-trans=; domain=myb2ctenant.b2clogin.com; expires=Fri, 14-Sep-2012 12:46:46 GMT; path=/; SameSite=None; secure; HttpOnly
FF registers this warning in console:
Cookie “x-ms-cpim-trans” has been rejected because it is already expired
Following when MSAL execute a request to /myb2ctenant.onmicrosoft.com/b2c_1_sinsup/oauth2/v2.0/authorize?xxxx
Response always contains:
Location: https://blazorapp.xx.web.core.windows.net/authentication/login-callback#error= interaction_required&error_description=AADB2C90077%3a+User+does+not+have+an+existing+session+and+request+prompt+parameter+has+a+value+of+%27None%27.%0d%0a
All other browsers are working... Thanks in advance for any help
Valgt løsning
Okay, on closer review, the Set-Cookie is setting the value to nothing. I think this is really an instruction to delete the cookie. And then normally the server would set the new value in a different header. Can you see that pattern?
Pages mentioning the message: https://www.google.com/search?q=Cookie+rejected+because+%22already+expired%22+firefox
Which brings us to the issue of cross-site cookie access. SameSite=None might allow it, but maybe the Total Cookie Protection feature overrides that? You can make exceptions to this feature when needed. More info in the following articles:
- Introducing Total Cookie Protection in Standard Mode
- Total Cookie Protection and website breakage FAQ
Alle svar (5)
It seems that header -- with the ancient date -- was sent by the server. Is it possible it was somehow modified by Firefox? That would be strange.
Do other browsers shows a Set-Cookie header with a more current expiration date, or also 10 years ago?
Hey jscher, thanks a lot for replying
Although I can't find any official documentation about cookie policy of AAD B2C it's not Firefox to change it, it's always 10 years before on every browser
Any hints?
Valgt løsning
Okay, on closer review, the Set-Cookie is setting the value to nothing. I think this is really an instruction to delete the cookie. And then normally the server would set the new value in a different header. Can you see that pattern?
Pages mentioning the message: https://www.google.com/search?q=Cookie+rejected+because+%22already+expired%22+firefox
Which brings us to the issue of cross-site cookie access. SameSite=None might allow it, but maybe the Total Cookie Protection feature overrides that? You can make exceptions to this feature when needed. More info in the following articles:
Great info, it works! Thanks again, really sorry I missed it!
But...I can't see how:
For example, if you visit Facebook, Facebook won’t be able to view your activity on Etsy, One Medical or your cousin’s cooking blog later
Enhanced Tracking Protection will block third-party cookies to prevent tracking companies from tracking your browsing from site to site
could be comparable to AAD B2C authentication flow process?!
As it is enabled by default this will be a problem for public browsing, sure I can catch the error and/or check user agent to ask the user to disable Total Cookie Protection but it wouldn't be very nice... I will try and report on bugzilla.
Anyway thanks again, if you or anyone don't have any extra consideration to share here, we can consider this solved
The Total Cookie Protection feature, also known as dynamic First Party Isolation, is a general purpose block on cross-site cookie access. Firefox apparently contains a few pre-configured exceptions for sites that use a predictable combination of server host names. Possibly some more will be added; certainly the central authentication server for Microsoft sites would be a sensible add. I don't know whether anyone has filed a bug requesting that.