Invalid state cookie

Describe the bug Transient errors that say “Invalid state cookie” from the BankIdHandler.

This report is from Slack user Anton K: I can provoke this error myself by removing the “__ActiveLogin.BankIdState”-cookie or by modifying the value within the cookie during the login flow. This got me thinking that some devices/browser may have problems setting the cookie. The cookie is set as HTTP-Only, Secure and Lax.

What area is it related to BankId

To Reproduce Steps to reproduce the behavior:

1. Remove “__ActiveLogin.BankIdState” cookie
2. See error

Expected behavior Successful signin.

Screenshots

[2021-11-29 09:57:57 Error] Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware
An unhandled exception has occurred while executing the request.
System.Exception: An error was encountered while handling the remote login.
 ---> System.Exception: Invalid state cookie
   --- End of inner exception stack trace ---
   at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
   at IdentityServer4.Hosting.FederatedSignOut.AuthenticationRequestHandlerWrapper.HandleRequestAsync()
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at IdentityServer4.Hosting.BaseUrlMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware.<Invoke>g__Awaited|6_0(ExceptionHandlerMiddleware middleware, HttpContext context, Task task)

NuGet package version 4.0.0

Runtime version netcoreapp3.1

Smartphone (please complete the following information):

• ios
• safari

Only seen on ios and safari. Unknown versions.

User reports being able to sign in “sometimes” and then not so it seems to be a transient error where we sometimes get into a bad state. Perhaps due to refresh/reload/back button pressing or using old/stale data.