Reputation: 1
ASP.NET MVC doesn't set SameSite attribute in .ASPXAUTH cookie
I develop hybrid website applications. It means that main application e.g. www.zyjangi.pl serves content for other websites like www.langia.pl or www.staria.pl.
This content of main website is loaded into iframes in child websites. Iframes seem do be simple and convenient way to share content.
Because of that it is easy to share e.g. the same calendar or events on many pages.
Main website and child websites are hosted at different providers. Main application is developed in ASP.NET MVC and runs on the .NET Framework 4.8. I'm using Forms Authentication to login ie.
FormsAuthentication.SetAuthCookie(model.Login, model.RememberMe);
Login form is in main application and run in iframe in child application.
In the web.config file I set "SameSite" to "None" for authentication and session.
<forms loginUrl="~/Account/Login" cookieSameSite="None" requireSSL="true" timeout="2880" />
<sessionState cookieSameSite="None" timeout="60" />
Unfortunately with this configuration "SameSite" attribute is completely omitted from the .ASPXAUTH cookie.
When cookieSameSite="Lax" or cookieSameSite="Strict", the attribute is added, but when cookieSameSite="None", the attribute is omitted.
In this architecture scenario new version of "Google Chrome" expects the cookie to be explicitly set to "SameSite=None", and because this problem application doesn't work properly in "Google Chrome".
Google Chrome sends the following message and user is not log in:
This Set-Cookie didn't specify a "SameSite" attribute and was defaulted to "SameSite=Lax", and was blocked because it came from cross-site response which was not the response to a top-level navigation.
The Set-Cookie had to have been set with "SomeSite=None" to enable cross-site usage.
Setting "SameSite" attribute during interception eg.
var cookie = Response.Cookies[".ASPXAUTH"];
if (cookie != null)
{
cookie.Secure = true;
cookie.SameSite = SameSiteMode.Strict;
}
doesn't work either. The attribute is omitted in the response.
You can check this on www.langia.pl website.
It works properly in FireFox or Edge but doesn't in Chrome. The user cannot log in into the application.
What can I do to force adding "SameSite=None" attribute to the response?
Is there any "workaround" to overcome this issue.
Upvotes: 0
Views: 1705
Answers (1)
Reputation: 41
This is what I tried:
The cookie samesite attribute changes when you login again (will not change with page refresh).
I've also added these values to web.config:
<httpCookies requireSSL="true" />
<sessionState cookieSameSite="None" >
</sessionState>
I solved it this way.
Upvotes: 0
Related Questions
- SameSite cookies in ASP.NET 4.0
- How to set sameSite=None in Asp.Net MVC generated cookies?
- Change SameSite attribute for FedAuth cookie?
- SameSite=none and insecure http cookies fail to work on Chrome
- Setting SameSite=None and Secure in ASP.NET
- How to set SameSite cookie attribute to explicit None ASP NET Core
- MVC5 Cookie and same site problem with chrome
- SameSite cookie property lost
- ASP.Net Cannot set cookie with SameSite=None
- SameSite attribute in asp.net mvc application