This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 14.000000000000002%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECL%3C/text%3E%3C/svg%3E)
Our app service uses custom policy to log in through AAD B2C and receive the authentication from it. Since it's a cross-site cookie, we need to mark it SameSite=None with the Secure attribute,
I read that AAD B2C supports this attribute based on the following document.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/cookie-definitions
How to configure this cookie from AAD B2C with the secure attribute?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 15%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
@CaroLai-5934, thank you for reaching out to us. Here is Handle SameSite cookie changes in Chrome browser and here are some samples to help you. Let me know if this works for you.
I followed this link you provided to modify my startup.cs.
https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/pull/261
The cookie from AAD B2C still doesn't have a secure flag set for cookie.
@Carol Lai , thanks for this information. Pls have a look at Enable authentication in your own web app by using Azure AD B2C and replace the ConfigureServices(IServiceCollection services) function with the following code snippet:
public void ConfigureServices(IServiceCollection services)
{
services.Configure<CookiePolicyOptions>(options =>
{
// This lambda determines whether user consent for non-essential cookies is needed for a given request.
options.CheckConsentNeeded = context => true;
options.MinimumSameSitePolicy = SameSiteMode.Unspecified;
// Handling SameSite cookie according to https://learn.microsoft.com/en-us/aspnet/core/security/samesite?view=aspnetcore-3.1
options.HandleSameSiteCookieCompatibility();
});
// Configuration to sign-in users with Azure AD B2C
services.AddMicrosoftIdentityWebAppAuthentication(Configuration, "AzureAdB2C");
services.AddControllersWithViews()
.AddMicrosoftIdentityUI();
services.AddRazorPages();
//Configuring appsettings section AzureAdB2C, into IOptions
services.AddOptions();
services.Configure<OpenIdConnectOptions>(Configuration.GetSection("AzureAdB2C"));
Replace the Configure function with the following code snippet:
app.UseCookiePolicy();
Let me know if you have any follow-up questions.
Our code doesn't produce the cookie. The user logs in AAD B2C by using the custom police. When the user accesses our site, it gets routed to b2clogin.com. Upon a successful login, b2clogin.com reroutes back to our site with a cookie without Secure attribute.
How to configure AAD B2C to return a cookie with Secure attribute? Are you suggesting to catch the response from AAD B2C and add the cookieOptions? What event handler in Authentication.OpenIdConnect can catch that? Do you have a sample code?
@Carol Lai , pls check my updated response.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 39%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELM%3C/text%3E%3C/svg%3E)
Could you add this snippet in your startup.cs file under cookie options configuration and let me know if this fixes the issue.
options.Secure = CookieSecurePolicy.Always;
Here are the codes I have tried. Nothing adds the Secure attribute to the cookie from AAD B2C.
options.MinimumSameSitePolicy = SameSiteMode.None;
options.HandleSameSiteCookieCompatibility();
options.Secure = CookieSecurePolicy.Always;
options.MinimumSameSitePolicy = SameSiteMode.Unspecified;
options.HandleSameSiteCookieCompatibility();
options.Secure = CookieSecurePolicy.Always;
options.MinimumSameSitePolicy = SameSiteMode.Unspecified;
options.HandleSameSiteCookieCompatibility();
All Azure AD B2C cookies are carrying the SameSite, Secure, HttpOnly flags:
These flags means that the cookies from B2C are only available to the browser when sent over secure SSL Channel / HTTPS (secure) and are only available to the browsers, but not to JavaScript / Client code (HttpOnly) and are allowed by modern browsers (SameSite: none) as valid third party cookies.
So, as for Azure AD B2C as a service is fully compliant with all listed cookie options.
From B2C side, you cannot add any more cookies. These are are service cookies automatically handled by B2C.