Cookie sometimes missing in request (posting an Umbraco Forms form)

[inetzo]

Hi @Shazwazza , thank you for developing UmbracoIdentity, we use it our Intranet in combination with ADFS and works great. But unfortunately we run into a problem when using UmbracoIdentity in combination with Umbraco Forms, I hope you can help us, we have been working on it for a long time.

In very few cases, the member is missing when an Umbraco Form is submitted/posted. After a long search I discovered that the forms where the member is missing, the Cookie is missing in Context.Request.Params.

Context.Request.Params does contain the element "UMB_UCONTEXT_MEMBERS => -LSvpyUX3A5....." but not "Cookie: UMB_UCONTEXT_MEMBERS=-LSvpyUX3A5.....".

That probably also explains why HttpContext.User.Identity.Name is empty.

In about 85% of the cases when this problem occurs, an iPhone with Safari is used. The other 15 percent are various other browsers such as Internet Explorer, Firefox and Android devices. But mostly iPhones give issues while most users are using Firefox or Internet Explorer.

Our startupconfiguration looks like this:

            var cookieOptions = CreateFrontEndCookieAuthenticationOptions();

            cookieOptions.SlidingExpiration = true;
            cookieOptions.ExpireTimeSpan = TimeSpan.FromMinutes(30);

            cookieOptions.Provider = new CookieAuthenticationProvider
            {
                OnValidateIdentity = SecurityStampValidator
                        .OnValidateIdentity<UmbracoMembersUserManager<UmbracoApplicationMember>, UmbracoApplicationMember, int>(
                            TimeSpan.FromMinutes(30),
                            (manager, user) => user.GenerateUserIdentityAsync(manager),
                            identity => identity.GetUserId<int>())
            };


            app.UseCookieAuthentication(cookieOptions, PipelineStage.Authenticate);
     
            app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);

            var realm = ConfigurationManager.AppSettings["ADFS.Realm"];
            var metadataAddress = ConfigurationManager.AppSettings["ADFS.Metadata"];
            var authOptions = new WsFederationAuthenticationOptions
            {
                Wtrealm = realm,
                MetadataAddress = metadataAddress,
                TokenValidationParameters = new TokenValidationParameters
                {
                    ValidAudiences = new string[] { "spn:" + realm },
                    ValidateIssuer = true,
                    NameClaimType = ClaimTypes.NameIdentifier 
                }
            };

            app.UseWsFederationAuthentication(authOptions);

            AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.NameIdentifier;

What can be a cause for the missing cookie?

[Shazwazza]

Hi, initially I would think that it could it be the request path that isn't activating authentication since only certain request paths are authenticated for front-end vs back office. However, if you are saying that it works sometimes but not others than it's something different.

I have heard of OWIN misbehaving with cookies. For example, see https://github.com/Sustainsys/owin-cookie-saver. This has been changed now and the recommendation is to use the SystemWebCookieManager. You can read about that here https://github.com/aspnet/AspNetKatana/wiki/System.Web-response-cookie-integration-issues. I'm wondering if this is the cause of your issue?