Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Expired cookie breaks Azure AD B2C auth (with Blazor and MSAL)

more options

Hi all, is expired cookies management changed lately? Authentication doesn't work anymore in following use case. Question is all about FF for windows, while usually I'm on FF Android, Edge and Chrome for Windows and all these browsers are working correctly.

My working web app (static blazor wasm standalone) is interactively authenticating in Azure AD B2C using Microsoft.Authentication.WebAssembly.Msal library (like MSAL.js), API is an Azure Function protected through AAD B2C.

Login request successfully invokes Signin/Signup B2C flow with popup to myb2ctenant.b2clogin.com but breaks navigating to auth protected pages or backend apis.

From DevTools I see that every request to following b2c endpoints sets an expired cookie (expired 10 years before, year is now 2012):

When user clicks login: GET /myb2ctenant.onmicrosoft.com/b2c_1_sinsup/v2.0/.well-known/openid-configuration

Returning from login confirmation: GET /myb2ctenant.onmicrosoft.com/B2C_1_SInSUp/api/CombinedSigninAndSignup/confirmed?rememberMe=false&csrf_token=xxx

for example: Set-Cookie: x-ms-cpim-trans=; domain=myb2ctenant.b2clogin.com; expires=Fri, 14-Sep-2012 12:46:46 GMT; path=/; SameSite=None; secure; HttpOnly

FF registers this warning in console:

Cookie “x-ms-cpim-trans” has been rejected because it is already expired

Following when MSAL execute a request to /myb2ctenant.onmicrosoft.com/b2c_1_sinsup/oauth2/v2.0/authorize?xxxx

Response always contains:

Location: https://blazorapp.xx.web.core.windows.net/authentication/login-callback#error= interaction_required&error_description=AADB2C90077%3a+User+does+not+have+an+existing+session+and+request+prompt+parameter+has+a+value+of+%27None%27.%0d%0a

All other browsers are working... Thanks in advance for any help

Hi all, is expired cookies management changed lately? Authentication doesn't work anymore in following use case. Question is all about FF for windows, while usually I'm on FF Android, Edge and Chrome for Windows and all these browsers are working correctly. My working web app (static blazor wasm standalone) is interactively authenticating in Azure AD B2C using Microsoft.Authentication.WebAssembly.Msal library (like MSAL.js), API is an Azure Function protected through AAD B2C. Login request successfully invokes Signin/Signup B2C flow with popup to myb2ctenant.b2clogin.com but breaks navigating to auth protected pages or backend apis. From DevTools I see that every request to following b2c endpoints sets an expired cookie (expired 10 years before, year is now 2012): When user clicks login: GET /myb2ctenant.onmicrosoft.com/b2c_1_sinsup/v2.0/.well-known/openid-configuration Returning from login confirmation: GET /myb2ctenant.onmicrosoft.com/B2C_1_SInSUp/api/CombinedSigninAndSignup/confirmed?rememberMe=false&csrf_token=xxx for example: Set-Cookie: x-ms-cpim-trans=; domain=myb2ctenant.b2clogin.com; expires=Fri, 14-Sep-'''2012 '''12:46:46 GMT; path=/; SameSite=None; secure; HttpOnly FF registers this warning in console: '''Cookie “x-ms-cpim-trans” has been rejected because it is already expired''' Following when MSAL execute a request to /myb2ctenant.onmicrosoft.com/b2c_1_sinsup/oauth2/v2.0/authorize?xxxx Response always contains: Location: https://blazorapp.xx.web.core.windows.net/authentication/login-callback#error= '''interaction_required&error_description=AADB2C90077%3a+User+does+not+have+an+existing+session+and+request+prompt+parameter+has+a+value+of+%27None%27.%0d%0a''' All other browsers are working... Thanks in advance for any help

Chosen solution

Okay, on closer review, the Set-Cookie is setting the value to nothing. I think this is really an instruction to delete the cookie. And then normally the server would set the new value in a different header. Can you see that pattern?

Pages mentioning the message: https://www.google.com/search?q=Cookie+rejected+because+%22already+expired%22+firefox

Which brings us to the issue of cross-site cookie access. SameSite=None might allow it, but maybe the Total Cookie Protection feature overrides that? You can make exceptions to this feature when needed. More info in the following articles:

Read this answer in context 👍 0

All Replies (5)

more options

It seems that header -- with the ancient date -- was sent by the server. Is it possible it was somehow modified by Firefox? That would be strange.

Do other browsers shows a Set-Cookie header with a more current expiration date, or also 10 years ago?

more options

Hey jscher, thanks a lot for replying

Although I can't find any official documentation about cookie policy of AAD B2C it's not Firefox to change it, it's always 10 years before on every browser

Any hints?

more options

Chosen Solution

Okay, on closer review, the Set-Cookie is setting the value to nothing. I think this is really an instruction to delete the cookie. And then normally the server would set the new value in a different header. Can you see that pattern?

Pages mentioning the message: https://www.google.com/search?q=Cookie+rejected+because+%22already+expired%22+firefox

Which brings us to the issue of cross-site cookie access. SameSite=None might allow it, but maybe the Total Cookie Protection feature overrides that? You can make exceptions to this feature when needed. More info in the following articles:

more options

Great info, it works! Thanks again, really sorry I missed it!

But...I can't see how:

For example, if you visit Facebook, Facebook won’t be able to view your activity on Etsy, One Medical or your cousin’s cooking blog later

Enhanced Tracking Protection will block third-party cookies to prevent tracking companies from tracking your browsing from site to site

could be comparable to AAD B2C authentication flow process?!

As it is enabled by default this will be a problem for public browsing, sure I can catch the error and/or check user agent to ask the user to disable Total Cookie Protection but it wouldn't be very nice... I will try and report on bugzilla.

Anyway thanks again, if you or anyone don't have any extra consideration to share here, we can consider this solved

more options

The Total Cookie Protection feature, also known as dynamic First Party Isolation, is a general purpose block on cross-site cookie access. Firefox apparently contains a few pre-configured exceptions for sites that use a predictable combination of server host names. Possibly some more will be added; certainly the central authentication server for Microsoft sites would be a sensible add. I don't know whether anyone has filed a bug requesting that.