為了改善您的使用體驗,本網站正在進行維護,部分功能暫時無法使用。若本站的文件無法解決您的問題,想要向社群發問的話,請到 Twitter 上的 @FirefoxSupport 或 Reddit 上的 /r/firefox 發問,我們的社群成員將很快會回覆您的疑問。

搜尋 Mozilla 技術支援網站

防止技術支援詐騙。我們絕對不會要求您撥打電話或發送簡訊,或是提供個人資訊。請用「回報濫用」功能回報可疑的行為。

了解更多

Expired cookie breaks Azure AD B2C auth (with Blazor and MSAL)

more options

Hi all, is expired cookies management changed lately? Authentication doesn't work anymore in following use case. Question is all about FF for windows, while usually I'm on FF Android, Edge and Chrome for Windows and all these browsers are working correctly.

My working web app (static blazor wasm standalone) is interactively authenticating in Azure AD B2C using Microsoft.Authentication.WebAssembly.Msal library (like MSAL.js), API is an Azure Function protected through AAD B2C.

Login request successfully invokes Signin/Signup B2C flow with popup to myb2ctenant.b2clogin.com but breaks navigating to auth protected pages or backend apis.

From DevTools I see that every request to following b2c endpoints sets an expired cookie (expired 10 years before, year is now 2012):

When user clicks login: GET /myb2ctenant.onmicrosoft.com/b2c_1_sinsup/v2.0/.well-known/openid-configuration

Returning from login confirmation: GET /myb2ctenant.onmicrosoft.com/B2C_1_SInSUp/api/CombinedSigninAndSignup/confirmed?rememberMe=false&csrf_token=xxx

for example: Set-Cookie: x-ms-cpim-trans=; domain=myb2ctenant.b2clogin.com; expires=Fri, 14-Sep-2012 12:46:46 GMT; path=/; SameSite=None; secure; HttpOnly

FF registers this warning in console:

Cookie “x-ms-cpim-trans” has been rejected because it is already expired

Following when MSAL execute a request to /myb2ctenant.onmicrosoft.com/b2c_1_sinsup/oauth2/v2.0/authorize?xxxx

Response always contains:

Location: https://blazorapp.xx.web.core.windows.net/authentication/login-callback#error= interaction_required&error_description=AADB2C90077%3a+User+does+not+have+an+existing+session+and+request+prompt+parameter+has+a+value+of+%27None%27.%0d%0a

All other browsers are working... Thanks in advance for any help

Hi all, is expired cookies management changed lately? Authentication doesn't work anymore in following use case. Question is all about FF for windows, while usually I'm on FF Android, Edge and Chrome for Windows and all these browsers are working correctly. My working web app (static blazor wasm standalone) is interactively authenticating in Azure AD B2C using Microsoft.Authentication.WebAssembly.Msal library (like MSAL.js), API is an Azure Function protected through AAD B2C. Login request successfully invokes Signin/Signup B2C flow with popup to myb2ctenant.b2clogin.com but breaks navigating to auth protected pages or backend apis. From DevTools I see that every request to following b2c endpoints sets an expired cookie (expired 10 years before, year is now 2012): When user clicks login: GET /myb2ctenant.onmicrosoft.com/b2c_1_sinsup/v2.0/.well-known/openid-configuration Returning from login confirmation: GET /myb2ctenant.onmicrosoft.com/B2C_1_SInSUp/api/CombinedSigninAndSignup/confirmed?rememberMe=false&csrf_token=xxx for example: Set-Cookie: x-ms-cpim-trans=; domain=myb2ctenant.b2clogin.com; expires=Fri, 14-Sep-'''2012 '''12:46:46 GMT; path=/; SameSite=None; secure; HttpOnly FF registers this warning in console: '''Cookie “x-ms-cpim-trans” has been rejected because it is already expired''' Following when MSAL execute a request to /myb2ctenant.onmicrosoft.com/b2c_1_sinsup/oauth2/v2.0/authorize?xxxx Response always contains: Location: https://blazorapp.xx.web.core.windows.net/authentication/login-callback#error= '''interaction_required&error_description=AADB2C90077%3a+User+does+not+have+an+existing+session+and+request+prompt+parameter+has+a+value+of+%27None%27.%0d%0a''' All other browsers are working... Thanks in advance for any help

被選擇的解決方法

Okay, on closer review, the Set-Cookie is setting the value to nothing. I think this is really an instruction to delete the cookie. And then normally the server would set the new value in a different header. Can you see that pattern?

Pages mentioning the message: https://www.google.com/search?q=Cookie+rejected+because+%22already+expired%22+firefox

Which brings us to the issue of cross-site cookie access. SameSite=None might allow it, but maybe the Total Cookie Protection feature overrides that? You can make exceptions to this feature when needed. More info in the following articles:

從原來的回覆中察看解決方案 👍 0

所有回覆 (5)

more options

It seems that header -- with the ancient date -- was sent by the server. Is it possible it was somehow modified by Firefox? That would be strange.

Do other browsers shows a Set-Cookie header with a more current expiration date, or also 10 years ago?

more options

Hey jscher, thanks a lot for replying

Although I can't find any official documentation about cookie policy of AAD B2C it's not Firefox to change it, it's always 10 years before on every browser

Any hints?

more options

選擇的解決方法

Okay, on closer review, the Set-Cookie is setting the value to nothing. I think this is really an instruction to delete the cookie. And then normally the server would set the new value in a different header. Can you see that pattern?

Pages mentioning the message: https://www.google.com/search?q=Cookie+rejected+because+%22already+expired%22+firefox

Which brings us to the issue of cross-site cookie access. SameSite=None might allow it, but maybe the Total Cookie Protection feature overrides that? You can make exceptions to this feature when needed. More info in the following articles:

more options

Great info, it works! Thanks again, really sorry I missed it!

But...I can't see how:

For example, if you visit Facebook, Facebook won’t be able to view your activity on Etsy, One Medical or your cousin’s cooking blog later

Enhanced Tracking Protection will block third-party cookies to prevent tracking companies from tracking your browsing from site to site

could be comparable to AAD B2C authentication flow process?!

As it is enabled by default this will be a problem for public browsing, sure I can catch the error and/or check user agent to ask the user to disable Total Cookie Protection but it wouldn't be very nice... I will try and report on bugzilla.

Anyway thanks again, if you or anyone don't have any extra consideration to share here, we can consider this solved

more options

The Total Cookie Protection feature, also known as dynamic First Party Isolation, is a general purpose block on cross-site cookie access. Firefox apparently contains a few pre-configured exceptions for sites that use a predictable combination of server host names. Possibly some more will be added; certainly the central authentication server for Microsoft sites would be a sensible add. I don't know whether anyone has filed a bug requesting that.