Invalid state cookie
See original GitHub issueDescribe the bug
Transient errors that say “Invalid state cookie” from the BankIdHandler
.
This report is from Slack user Anton K: I can provoke this error myself by removing the “__ActiveLogin.BankIdState”-cookie or by modifying the value within the cookie during the login flow. This got me thinking that some devices/browser may have problems setting the cookie. The cookie is set as HTTP-Only, Secure and Lax.
What area is it related to BankId
To Reproduce Steps to reproduce the behavior:
- Remove “__ActiveLogin.BankIdState” cookie
- See error
Expected behavior Successful signin.
Screenshots
[2021-11-29 09:57:57 Error] Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware
An unhandled exception has occurred while executing the request.
System.Exception: An error was encountered while handling the remote login.
---> System.Exception: Invalid state cookie
--- End of inner exception stack trace ---
at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
at IdentityServer4.Hosting.FederatedSignOut.AuthenticationRequestHandlerWrapper.HandleRequestAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at IdentityServer4.Hosting.BaseUrlMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware.<Invoke>g__Awaited|6_0(ExceptionHandlerMiddleware middleware, HttpContext context, Task task)
NuGet package version 4.0.0
Runtime version netcoreapp3.1
Smartphone (please complete the following information):
- ios
- safari
Only seen on ios and safari. Unknown versions.
User reports being able to sign in “sometimes” and then not so it seems to be a transient error where we sometimes get into a bad state. Perhaps due to refresh/reload/back button pressing or using old/stale data.
Issue Analytics
- State:
- Created 2 years ago
- Comments:10 (7 by maintainers)
Top GitHub Comments
A beta is now released to NuGet - please try it out when you have time! https://www.nuget.org/packages/ActiveLogin.Authentication.BankId.AspNetCore/4.1.0-beta-1
Ping @span @antonkallenberg
@PeterOrneholm Have created our own IBankIdInvalidStateHandler. Tested in my local development environment, works great! Not deployed to production yet, but it “works on my machine”. Great job, thanks!