Reputation: 34287
ASP.NET - Request.Cookies no longer working in Chrome V80+
In what is undoubtedly related to the Chromes samesite cookie policies released recently I am now having issues updating cookies in ASP.NET.
I have a simple cookie collection to store basic user settings. The cookie is both generated and updated using the code below.
SET COOKIE
If Response.Cookies("Settings") IsNot Nothing Then
Dim cookie As HttpCookie = Request.Cookies("Settings")
cookie("Setting01") = ddl.SelectedValue
cookie.Expires = Date.Now.AddDays(365)
Response.Cookies.Add(cookie)
End If
When the cookie is first created it appears correctly as below.
When the setting is updated and the code above called a second time the value is removed.
This only occurs in Chrome and only since I updated to Chrome V84
I have made the following recent changes in web.config to accommodate samesite requirements.
<sessionState cookieless="false" cookieSameSite="None" />
<httpCookies httpOnlyCookies="true" sameSite="None" requireSSL="true" />
WHERE IS THE ISSUE?
It is this part of the code that now returns nothing
Request.Cookies("Settings")
Upvotes: 0
Views: 2126
Answers (2)
Reputation: 1
As of Aug. 11, 2020, Chromium is now targeting 100% of users with SameSite cookie changes. (source: https://www.chromium.org/updates/same-site)
SameSite cookies FAQ: https://www.chromium.org/updates/same-site/faq
Upvotes: 0
Reputation: 34287
SOLUTION
This issue was caused by not explicitly setting the SameSiteMode in code behind when creating a new cookie.
If Response.Cookies("Settings") IsNot Nothing Then
Dim cookie As HttpCookie = Request.Cookies("Settings")
cookie("Setting01") = ddl.SelectedValue
cookie.Expires = Date.Now.AddDays(365)
cookie.SameSite = SameSiteMode.Lax
Response.Cookies.Add(cookie)
End If
Additionally setting SameSiteMode.None will not work. Presemuably to enforce that this cookie originated from the samesite.
BUT WHY?
I still don't fully understand why this is the case because if you set in web.config
<httpCookies httpOnlyCookies="true" sameSite="Lax" requireSSL="true" />
Then your newly created cookies are flagged as Lax in the Chrome and changing this setting is reflected like below:
However if you now try to read that cookie from code behind it's value will be erased. This is not the case is you exclusively set it in code behind.
I am not sure what makes the cookie different and is more likely an issue with the way .NET is handling this.
Any additional intel on this answer would be intriguing.
Upvotes: 1
Related Questions
- Chrome localhost cookie not being set
- SameSite cookies in ASP.NET 4.0
- Asp.net core Chrome Issue with Cookies
- Chrome cookie not up-to-date
- ASP.NET Forms Authentication Cookie
- ASP.NET MVC - setting a cookie not working in chrome
- Chrome losing cookies
- Why is Request.Cookies[".ASPXAUTH"] missing when using Chrome or IE9?
- Cookies not working in some browsers
- Internet Explorer and Chrome are not accepting my cookie