how SameSite attribute added to my Asp.net_SessionID cookie automatically?

Question

Recently samesite=lax add automatically to my session cookie! this attribute just add to sessionID: "Set-Cookie ASP.NET_SessionId=zana3mklplqwewhwvika2125; path=/; HttpOnly; **SameSite=Lax**"

My website hosted on IIS 8.5, Windows 2012 R2, and dont have WAF or UrlRewrite and I turn off AntiVirus (kasper).

but yet have same problem on some customer servers.

any idea?

EDITED: I Find this: https://support.microsoft.com/en-us/help/4524419/kb4524419

ASP.NET will now emit a SameSite cookie header when HttpCookie.SameSite value is 'None' to accommodate upcoming changes to SameSite cookie handling in Chrome. As part of this change, FormsAuth and SessionState cookies will also be issued with SameSite = 'Lax' instead of the previous default of 'None', though these values can be overridden in web.config.

How can i overridde samesite cookies for SessionState in web.config? i add this line, but it not work on SessionID cookie! <httpCookies sameSite="Unspecified" />

EDITED: I find this: https://learn.microsoft.com/en-us/dotnet/api/system.web.configuration.sessionstatesection.cookiesamesite?view=netframework-4.8#System_Web_Configuration_SessionStateSection_CookieSameSite

Set samesite for stateserver by "cookieSameSite" attribute of SessionState tag.

Answer 1

CookieSameSite attribute is not available for many older frameworks. If you're in the situation where the accepted answer is not supported in your environment, read on!

I modified upon several SO answers to come up with this URL rewrite that adds SameSite=None to session cookies, and also remove SameSite=None from all cookies for most incompatible browsers. The aim of this rewrite is to preserve the "legacy" behaviour pre-Chrome 80.

Full write-up in my Coder Frontline blog:

<rewrite>
  <outboundRules>
    <preConditions>
      <!-- Checks User Agent to identify browsers incompatible with SameSite=None -->
      <preCondition name="IncompatibleWithSameSiteNone" logicalGrouping="MatchAny">
        <add input="{HTTP_USER_AGENT}" pattern="(CPU iPhone OS 12)|(iPad; CPU OS 12)" />
        <add input="{HTTP_USER_AGENT}" pattern="(Chrome/5)|(Chrome/6)" />
        <add input="{HTTP_USER_AGENT}" pattern="( OS X 10_14).*(Version/).*((Safari)|(KHTML, like Gecko)$)" />
      </preCondition>
    </preConditions>

    <!-- Adds or changes SameSite to None for the session cookie -->
    <!-- Note that secure header is also required by Chrome and should not be added here -->
    <rule name="SessionCookieAddSameSiteNoneHeader">
      <match serverVariable="RESPONSE_Set-Cookie" pattern="(.*ASP.NET_SessionId.*)" />
      <!-- Use this regex if your OS/framework/app adds SameSite=Lax automatically to the end of the cookie -->
      <!-- <match serverVariable="RESPONSE_Set-Cookie" pattern="((.*)(ASP.NET_SessionId)(=.*))(?=SameSite)" /> -->
      <action type="Rewrite" value="{R:1}; SameSite=None" />
    </rule>

    <!-- Removes SameSite=None header from all cookies, for most incompatible browsers -->
    <rule name="CookieRemoveSameSiteNone" preCondition="IncompatibleWithSameSiteNone">
      <match serverVariable="RESPONSE_Set-Cookie" pattern="(.*)(SameSite=None)" />
      <action type="Rewrite" value="{R:1}" />
    </rule>
  </outboundRules>
</rewrite>

This should work for most ASP .Net and ASP .Net Core applications, although newer Frameworks have proper code and config options to let you control this behaviour. I would recommend researching all the options available to you before using my rewrite above.

Answer 2

Add these options to web.config for sameSite=None , Lax or Strict

<system.web>
    <httpCookies sameSite="None" requireSSL="true" />
    <sessionState cookieSameSite="None" />
    <authentication mode="Forms">
        <forms cookieSameSite="None" requireSSL="true" />
    </authentication>
</system.web>

This is supported since .Net Framework 4.7.2.

Docs on sessionState cookieSameSite
Docs on httpCookies sameSite
SameSite=None requires Secure (requireSSL="true"). Lax and Strict don't. sessionState doesn't have requireSSL and uses attribute from httpCookies.
Good article with explanation of SameSite in Google Chrome. Chrome blocks third-party cookie in iframe since version 80.

Answer 3

4 machines with google chrome one would not work with cookies across sites on asp. Folow H. J. van der Wijk info for web.config

<system.web>
    <httpCookies sameSite="None"/>
    <sessionState cookieSameSite="None" />
    <authentication mode="Forms">
        <forms cookieSameSite="None" />
    </authentication>

still did not work, had to change

<httpCookies sameSite="None"/>

for

<httpCookies httpOnlyCookies="true" requireSSL="true" sameSite="None"/>

and all worked.

Thanks

Answer 4

Last update: zemien's answer is more comprehensive and complete than mine. because it sets cookie based on user agent.

My Answer:

You can replace SameSite=Lax with SameSite=None for ASP.NET_SessionId in web.config following way:

<rewrite>
  <outboundRules>
    <rule name="AddSameSiteCookieFlag">
      <match serverVariable="RESPONSE_Set-Cookie" pattern="((.*)(ASP.NET_SessionId)(=.*))(SameSite=Lax)" />
      <action type="Rewrite" value="{R:1};SameSite=None" />
    </rule>
  </outboundRules>
</rewrite>

Update: To prevent IOS problem, replace

<action type="Rewrite" value="{R:1};SameSite=None" />

with

<action type="Rewrite" value="{R:1};" />

Answer 5

Works for me. Added into my web.config file :

<sessionState cookieSameSite="None"></sessionState>

Upgrade to .Net Framework 4.8 + installation patch : 2019-12 Cumulative Update for .NET Framework 3.5 and 4.8 for Windows 10 Version 1909 for x64 (KB4533002)

Answer 6

@zemien your solution correctly solved our google chrome issues

We have an integration where our application is embedded in an iframe on a third party. Chrome version 80 released Feb 4 2020 prevented cookies from loading.

However I had to modify the pattern to capture all cookies, add the Secure flag, and condition to not apply the rewrite on localhost for our local non https environment

<rule name="SessionCookieAddNoneHeader">
      <match serverVariable="RESPONSE_Set-Cookie" pattern="(.*)(SameSite=.*)?" />
      <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
        <add input="{HTTP_HOST}" pattern="localhost" negate="true" />
      </conditions>
      <action type="Rewrite" value="{R:1}; SameSite=None; Secure" />
</rule>

Answer 7

Add these options to web.config for sameSite=None , Lax or Strict

<system.web>
    <httpCookies sameSite="None"/>
    <sessionState cookieSameSite="None" />
    <authentication mode="Forms">
        <forms cookieSameSite="None" />
    </authentication>

Answer 8

I can't use rewrite, because UrlRewrite not installed on all my customers servers.

Finally i add cookieSameSite to my web.config:

<sessionState mode="StateServer" cookieSameSite="None" sqlConnectionString="data source=(local);user id=sa;password=" cookieless="false" timeout="20" />