CODEWITHSUNDEEP
c#asp.net-coreasp.net-identity
FreeVice
FreeVice

Reputation: 2697

AspNet Core Identity, how set options.Cookie.SameSite?

In the latest templates and libraries used httpsonly flag. How can I turn it off?

This same question is outdated and it did not have full configuration sample:

AspNet Core Identity - cookie not getting set in production

Upvotes: 18

Views: 19407

Answers (4)

Pier
Pier

Reputation: 10837

In 2025 with .NET 9 this is the way to do it in your Program.cs file:

builder.Services.ConfigureApplicationCookie(options => {
    options.Cookie.SameSite = SameSiteMode.Strict;
});

Upvotes: 0

Parag
Parag

Reputation: 430

The answer by @poke did not help me set the value to SameSiteMode.None, atleast not in ASP.NET core 2.1.

Any value you set in configure application cookie is overridden by the MinimumSameSitePolicy setting of the cookie policy middleware.

To prevent the override, set MinimumSameSitePolicy for the UseCookiePolicy extension as SameSiteMode.None.

app.UseCookiePolicy(new CookiePolicyOptions
{
   MinimumSameSitePolicy = SameSiteMode.None
});

Then set the actual same site value in the AddCookie extension in the ConfigureServices method

services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
.AddCookie(options =>
{
    options => options.Cookie.SameSite = SameSiteMode.None;
});

Upvotes: 23

ppenchev
ppenchev

Reputation: 157

For my case in asp.net core 3.1 two things in combination did the trick

services.ConfigureApplicationCookie(options =>
        {
            options.Cookie.SameSite = SameSiteMode.Unspecified;
        });

        services.AddAntiforgery(opts => {
            opts.Cookie.SameSite = SameSiteMode.Unspecified;
        });

Upvotes: 3

poke
poke

Reputation: 388253

In order to configure the application cookie when using Identity, you can use the ConfigureApplicationCookie method inside your Startup’s ConfigureServices:

// add identity
services.AddIdentity<ApplicationUser, IdentityRole>();

// configure the application cookie
services.ConfigureApplicationCookie(options =>
{
    options.Cookie.SameSite = SameSiteMode.None;
});

Since Identity essentially adds cookie authentication under the hood, this is the configure action is the same thing you would normally pass to AddCookie() when configuring cookie authentication. It’s just that since AddIdentity() takes care of setting up authentication for you, the ConfigureApplicationCookie offers a way to adjust the cookie authentication options afterwards.

Upvotes: 26

Related Questions