after migrate to .net core 2.0 session stop working correctly

Question

I write my application in .NET 1.0 and after an update it to version 2.0 then, my session stopped working.

My settings in Startup.cs:

services.AddDistributedMemoryCache();
services.AddSession(options =>
{
    options.IdleTimeout = TimeSpan.FromMinutes(15);
    options.Cookie.HttpOnly = true;
});

...

app.UseSession();

I set the session at my controller:

HttpContext.Session.SetString(SessionKey, data);

After that I redirect to my static file containing angular:

return Redirect($"~/index.html?test={test}");

The file is placed in the wwwroot folder.

And when I use angular to get data from my app:

$http.get(baseUrl + "/Configure/Refresh?test=" + test).then(handleSuccess, handleError("Error getting settings")

I check the session in my controller action:

 _logger.LogInformation($"Session: {HttpContext.Session.GetString(SessionKey)}");

And it is blank. I don't know why - before the update, it worked correctly.

Answer 1

Ok I discover what was wrong. After update session as default have SameSite set to Lax. Before is was none. I set this value to Strict and all work correctly.

services.AddSession(options =>
{
    options.IdleTimeout = TimeSpan.FromMinutes(15);
    options.Cookie.HttpOnly = true;
    options.Cookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.Strict;
});

Article: https://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/