Afshin
Reputation: 149
Change SameSite attribute for FedAuth cookie?
I have a difficulty to change the SameSite attribute on an ASP.NET MVC application. Here is the scenario: I'm trying to load my ASP.NET application inside an iframe and because of the changes in Google Chrome 80+ I need to set the SameSite attribute for the cookies to be able to use the authentication cookie in the iframe. I followed this link SameSite Cookie
and applied the changes but for some reason, this doesn't change the SameSite attribute for the FedAuth and FedAuth cookie. Here is the code for creating the session cookie:
SessionAuthenticationModule session = FederatedAuthentication.SessionAuthenticationModule;
SessionSecurityToken sToken = session.CreateSessionSecurityToken(principal, null, DateTime.UtcNow, DateTime.UtcNow.AddHours(24), isPersistant);
session.AuthenticateSessionSecurityToken(sToken, true);
session.WriteSessionTokenToCookie(sToken);
web.config
<httpRuntime requestValidationMode="2.0" maxRequestLength="28672" targetFramework="4.7.2" encoderType="System.Web.Security.AntiXss.AntiXssEncoder, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
<compilation debug="true" targetFramework="4.7.2">
<httpCookies httpOnlyCookies="true" sameSite="None" requireSSL="true"/>
<authentication mode="Forms">
<forms requireSSL="true" cookieSameSite="None"/>
</authentication>
<sessionState cookieSameSite="None" />
<system.identityModel.services>
<federationConfiguration>
<cookieHandler mode="Default" requireSsl="true" persistentSessionLifetime="0.06:00:00" path="/"/>
</federationConfiguration>
Do you have any suggestions?
Upvotes: 4
Views: 1408
Answers (1)
ISmarsh
Reputation: 11
I'm still new to working with wsfed, but adding this to my Global.asax.cs seemed to work for me:
void WSFederationAuthenticationModule_SignedIn(object sender, EventArgs e)
{
foreach (string key in Response.Cookies.AllKeys)
{
if (key.StartsWith("FedAuth"))
{
var cookie = Response.Cookies[key];
cookie.SameSite = SameSiteMode.None;
cookie.Secure = true;
}
}
}
Upvotes: 1
Related Questions
- SameSite cookies in ASP.NET 4.0
- How to set cookie attribute Samesite = None for .Net Framework earlier of 4.7.2 (for 4.5.2)
- How to set sameSite=None in Asp.Net MVC generated cookies?
- Condtionally set ASP.NET session and authentication cookies samesite value based on browsers
- How to set SameSite cookie attribute to explicit None ASP NET Core
- ASP.Net Cannot set cookie with SameSite=None
- Send Forms Authentication Cookie with explicit samesite=none
- How to make FedAuth cookies unique for each application in on solution?
- Sharing Authentication Cookie in ASP.NET 5 across subdomains
- ASP.NET Cross-Sub-Domain Single Sign-On Cookies