Chris Ross

https://docs.microsoft.com/en-us/aspnet/core/fundamentals/logging/?view=aspnetcore-6.0#configure-logging If you turn the existing logging up to Information or Debug that will help. Reading back through this I realized it's not just the Secure attribute that's missing from...

What are the attributes on __Host-myApplication when it's created? E.g. if it has a Strict SameSite setting then it won't be included after a remote login flow. It would need...

> Looking through other logs, we have noticed that our Web Application Firewall (WAF)_ is triggering on some `AspNetCore.Correlation.oauth` cookie value due to "SQL comment format structure", specifically where it...

What issue are you having with expired tickets? They should be ignored and trigger a new auth flow, replacing the cookie.

A cookie containing an expired auth ticket should be harmless, context.User will be populated with an anonymous user.

I'm going to close this as a duplicate of two more specific proposals: - https://github.com/dotnet/aspnetcore/issues/43222 - https://github.com/dotnet/aspnetcore/issues/39200

/azp run

That's about what's recommended in our docs: https://microsoft.github.io/reverse-proxy/articles/transforms.html#request-body-transforms The one improvement I'd suggest if you don't need to actually modify the body is to use HttpRequest.EnableBuffering() instead of a MemoryStream....

But what's holding the _dataWriterLock?

This check should have prevented that: https://github.com/dotnet/aspnetcore/blob/2b63a5fc7fee6944af03723767be2335f1d9bf9c/src/Middleware/Diagnostics/src/StatusCodePage/StatusCodePagesOptions.cs#L37 The response must be buffered? The easy fix is to make that line an `else`.