CODEWITHSUNDEEP
c#asp.netcookiesweb-configsamesite
now he who must not be named.
now he who must not be named.

Reputation: 9398

Setting SameSite=None and Secure in ASP.NET

Read about the SameSite changes enforced to prevent Cross-Site Forgery. Source: https://blog.chromium.org/2019/10/developers-get-ready-for-new.html

I'm trying to set its value to "None" and use Secure as advertised.

My current web.config setting is as below:

<system.web>
    <sessionState cookieless="UseCookies" 
       timeout="20" 
       cookieSameSite="None" 
       xdt:Transform="Replace" 
       xdt:Locator="Match(cookieless)"/>
  </system.web>

Documentation Soure: https://learn.microsoft.com/en-us/dotnet/api/system.web.configuration.sessionstatesection.cookiesamesite?view=netframework-4.8#System_Web_Configuration_SessionStateSection_CookieSameSite

But still I get the below error:

A cookie associated with a resource at `mywebsite.net` was set with `SameSite=None` but without `Secure`. A future release of Chrome will only deliver cookies marked `SameSite=None` if they are also marked `Secure`.

How do I specify secure attribute in the above web.config file ? Any leads will be much appreciated.

Upvotes: 4

Views: 29915

Answers (2)

Iman
Iman

Reputation: 18876

You can also set it per cookie creation

using SameSiteMode = Microsoft.AspNetCore.Http.SameSiteMode;
....
context.HttpContext.Response.Cookies.Append(cookie.Key, cookie.Value,
 new CookieOptions { SameSite = SameSiteMode.None,Secure = true });

Upvotes: 0

Guest
Guest

Reputation: 76

According to this link from Microsoft, sessionState doesn't have that attribute so it falls back to the httpCookies section. https://learn.microsoft.com/en-us/aspnet/samesite/system-web-samesite Hope that helps.

Upvotes: 6

Related Questions