Sign in to see claims...

Read me, aka notes

Http 400 header too long error - Simple SignOut:

Please reference KB0106356 in SN for the latest information.
Background - when Azure B2C receives 8+ requests to the login page too many cookies can be set. This is generally a result of applications redirecting to the login page on a single signout request. This is a request from the IDP via iframes that is attempting to log the user out of all applications. If within the iframe the app redirects back to the login page, times each app, this creates the problem.
Solutions:

• SimpleSignOut - a logout endpoint on the app that only deletes the owin cookies and displays a page stating you are logged out.

Code examples - this project contains code examples on the above solutions.

• SimpleSignOut - look at the SimpleSignOut action in the Home controller. This also contains some things for the Chrome SameSite cookie security fixes.

Chrome SameSite Cookie Security Change

Please reference KB0106238 in SN for the latest information.
Background:

• Google Chrome Changes
• Troy Hunt explains the issue
• .Net Owin Information
• Status of .Net SameSite patch for Azure App Service
• Auth0 suggests a two cookie solution

SameSite Code examples - this project contains code examples on the above.

• Update .net with the patch to 4.7.2 and update Owin packages - update according to the docs .Net Owin Information
• SameSiteCookieManager - a custom cookie manager is used to solve legacy browser support and the Chrome SameSite cookie security update. This uses the suggested two cookie solution by Auth0
• SimpleSignOut action - the SimpleSignOut action has additional code to delete the duplicate cookie used for legacy browsers not supporting SameSite=none.
• Azure App Service - these fixes may not work until the patch is rolled across all app service environments