I am running an ASP.NET Core 8.0 web application on Google Cloud Run in the asia-south1 (Mumbai) region. Since direct domain mapping is not supported in this region, I am using Firebase Hosting as a reverse proxy to serve a custom domain.

The application uses server-side session-based authentication with cookies.

Setup

• Cloud Run Service: asia-south1 region
• Firebase Hosting: Configured with rewrite rules pointing to Cloud Run
• Application: ASP.NET Core 8.0 with session-based authentication
• Session Affinity: Enabled on Cloud Run

Configuration in Program.cs: I have configured the session cookie as follows:

builder.Services.AddSession(options =>
{
    options.Cookie.Name = "__session";
    options.Cookie.SameSite = SameSiteMode.None;
    options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
    options.Cookie.HttpOnly = true;
    options.Cookie.IsEssential = true;
});

I also added ForwardedHeaders middleware:

builder.Services.Configure(options =>
{
    options.ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
    options.KnownNetworks.Clear();
    options.KnownProxies.Clear();
});

And a firebase.json rewrite rule:

{
  "hosting": {
    "public": "wwwroot",
    "rewrites": [
      {
        "source": "**",
        "run": {
          "serviceId": "call-analytics",
          "region": "asia-south1"
        }
      }
    ]
  }
}

Expected result

The Set-Cookie response header should show:

__session=xxx; SameSite=None; Secure; HttpOnly

but instead, the Set-Cookie response header shows:

.CallAnalytics.Session=xxx; SameSite=Lax; HttpOnly

The cookie name is wrong and SameSite is being downgraded to Lax.

What I have tried:

1. Renamed cookie to __session as per Firebase Hosting documentation
2. Configured ForwardedHeaders middleware with KnownNetworks.Clear() and KnownProxies.Clear()
3. Added ASPNETCORE_FORWARDEDHEADERS_ENABLED=true environment variable in Cloud Run
4. Added ASPNETCORE_HTTPS_PORT=443 environment variable in Cloud Run
5. Enabled Session Affinity on Cloud Run
6. Added custom middleware to directly modify Set-Cookie response headers
7. Configured DataProtection with PersistKeysToFileSystem
8. Tested with SameSiteMode.Unspecified and CookieSecurePolicy.SameAsRequest

Observations

• Login works correctly when accessing Cloud Run URL directly (bypassing Firebase)
• Login fails when accessing through Firebase Hosting URL due to cookie not being preserved
• The cookie name and SameSite attribute are being overridden somewhere in the pipeline

Questions

1. Is Firebase Hosting stripping or modifying session cookies when proxying to Cloud Run in asia-south1?
2. Is the __session cookie name restriction enforced at Firebase CDN level before reaching Cloud Run?
3. Is there a recommended configuration for ASP.NET Core session-based apps on Cloud Run behind Firebase Hosting?
4. Are there any plans to support direct domain mapping in asia-south1 region?