Setting "SameSite=None; Secure" cookies when using Node.js through iisnode on Azure App Service

Steven 96 Reputation points
2021-02-24T21:24:21.537+00:00

I'm trying to use "SameSite=None; Secure" with iisnode on Azure App Service to support third-party POST requests while the user is logged in, however, I can't get it to work. This is to support Chrome version 80+ and the new 2019 draft of the SameSite specification.

I've tried adding into the web.config file: 

<configuration>
 <system.web>
  <httpCookies sameSite="None" requireSSL="true" />
 <system.web>
<configuration>

But this has had no effect.

I've also tried in Node.js using Express.js the following server code: 

app.set('trust proxy', 1); // also tried 2, 3, 10...

app.use(session({
  // Removed
  cookie: {
    secure: true,
    maxAge: 7 * 24 * 60 * 60 * 1000,
    sameSite: 'None',
  }
}));

This works locally with an ngrok.io https proxy, however, on Azure as soon as cookie.secure=true cookies fail completely and aren't set in the browser.

How does one use "SameSite=None; Secure" cookies when using Node.js through iisnode on Azure App Service?

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,961 questions
0 comments
Accepted answer
  1. Steven 96 Reputation points
    2021-02-25T22:25:48.11+00:00

    I got this to work using guidance from ensuring-secure-cookies-with-url-rewrite

    This is what I added to my Web.config file under the <rewrite> tag after the <rules/> block: 

          <outboundRules> 
        <rule name="Ensure secure Cookies" preCondition="Missing secure cookie">
            <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
            <action type="Rewrite" value="{R:0}; SameSite=None; secure" />
        </rule>
        <preConditions>
            <preCondition name="Missing secure cookie">
                <!-- Don't remove the first line here, it does do stuff! -->
                <add input="{RESPONSE_Set_Cookie}" pattern="." />
                <add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=None; secure" negate="true" />
            </preCondition>
        </preConditions>
     </outboundRules>

    So your <rewrite> block should look something like this after: 

    <rewrite>
  <rules>
    <!-- Do not interfere with requests for node-inspector debugging -->
    <rule name="NodeInspector" patternSyntax="ECMAScript" stopProcessing="true">
      <match url="^server.js\/debug[\/]?" />
    </rule>

    <!-- First we consider whether the incoming URL matches a physical file in the /public folder -->
    <rule name="StaticContent">
      <action type="Rewrite" url="public{PATH_INFO}"/>
    </rule>

    <!-- All other URLs are mapped to the node.js site entry point -->
    <rule name="DynamicContent">
      <conditions>
        <add input="{REQUEST_FILENAME}" matchType="IsFile" negate="True"/>
      </conditions>
      <action type="Rewrite" url="server.js"/>
    </rule>
  </rules>
  <outboundRules> 
    <rule name="Ensure secure Cookies" preCondition="Missing secure cookie">
        <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
        <action type="Rewrite" value="{R:0}; SameSite=None; secure" />
    </rule>
    <preConditions>
        <preCondition name="Missing secure cookie">
            <!-- Don't remove the first line here, it does do stuff! -->
            <add input="{RESPONSE_Set_Cookie}" pattern="." />
            <add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=None; secure" negate="true" />
        </preCondition>
    </preConditions>
  </outboundRules>
</rewrite>
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest