How SameSite attribute added to the Asp.net_SessionID cookie automatically

asp.netiissamesite

Recently samesite=lax add automatically to my session cookie!
this attribute just add to sessionID:
"Set-Cookie ASP.NET_SessionId=zana3mklplqwewhwvika2125; path=/; HttpOnly; **SameSite=Lax**"

My website hosted on IIS 8.5, Windows 2012 R2, and dont have WAF or UrlRewrite and I turn off AntiVirus (kasper).

but yet have same problem on some customer servers.

any idea?

EDITED:
I Find this:
https://support.microsoft.com/en-us/help/4524419/kb4524419

ASP.NET will now emit a SameSite cookie header when HttpCookie.SameSite value is 'None' to accommodate upcoming changes to SameSite cookie handling in Chrome. As part of this change, FormsAuth and SessionState cookies will also be issued with SameSite = 'Lax' instead of the previous default of 'None', though these values can be overridden in web.config.

How can i overridde samesite cookies for SessionState in web.config?
i add this line, but it not work on SessionID cookie!
<httpCookies sameSite="Unspecified" />

EDITED: I find this: https://docs.microsoft.com/en-us/dotnet/api/system.web.configuration.sessionstatesection.cookiesamesite?view=netframework-4.8#System_Web_Configuration_SessionStateSection_CookieSameSite

Set samesite for stateserver by "cookieSameSite" attribute of SessionState tag.

Best Answer

Add these options to web.config for sameSite=None , Lax or Strict

<system.web>
    <httpCookies sameSite="None"/>
    <sessionState cookieSameSite="None" />
    <authentication mode="Forms">
        <forms cookieSameSite="None" />
    </authentication>

Related Solutions

How to reduce SameSite cookie attribute back to None in ASP.NET

EDIT of 2020-08-03: Chrome 85 doesn't allow insecure SameSite=None cookies
I've updated code accordingly: 1) only apply SameSite=None if connection is https; 2) only apply Secure; if connection is https; 3) remove SameSite=None if it's http and samesite was added by the attributes (rewrite rules)

Original response:

This is a pure web.config solution which:

Defines that session cookies should be rendered with SameSite=None
Appends SameSite=None to any cookie which does not explicitly defines SameSite attribute (using methods that work in all versions of framework, in the worst case if some attribute is not accepted you can just remove it)
Appends Secure attribute to any cookie which is not yet secure (as long as it's https request)
Removed SameSite=None if it was applied by previous rules and it's not valid due to lack of https

<!-- This sets ASP.NET_SessionId cookie to SameSite=None, 
avoiding the default of current frameworks which is LAX -->
<system.web>

<!-- in newer framework versions you have to change the samesite 
level like by changing this default level -->
<!-- in old versions these attributes might not be allowed
and in case (if they don't work) just ignore/skip them -->

<sessionState cookieSameSite="None" />
<httpCookies sameSite="None"/>
<authentication mode="Forms">
    <forms ..... cookieSameSite="None" />
</authentication>

...
</system.web>
...
<system.webServer>
<rewrite>
   <outboundRules>
    <!-- for old versions the only solution is to intercept/modify cookies -->

    <!-- Add "SameSite=None" to any cookie which does NOT have it yet -->
    <!-- currently this only works for secure https cookies -->
    <rule name="Add SameSite">
     <conditions>
      <add input="{RESPONSE_Set_Cookie}" pattern="." />
      <add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=None" negate="true" />
      <add input="{HTTPS}" pattern="on" ignoreCase="true" />
     </conditions>
     <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
     <action type="Rewrite" value="{R:0}; SameSite=None" />
    </rule>

    <!-- Add "Secure" to any cookie which does NOT have it yet, as long as it's HTTPS request or else a secure cookie would just be ignored -->
    <rule name="Add Secure">
     <conditions>
        <add input="{RESPONSE_Set_Cookie}" pattern="." />
        <add input="{RESPONSE_Set_Cookie}" pattern="; Secure" negate="true" />
        <add input="{HTTPS}" pattern="on" ignoreCase="true" />
     </conditions>
     <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
     <action type="Rewrite" value="{R:0}; Secure" />
    </rule>

    <!-- If samesite was set to none by cookieSameSite="None", -->
    <!-- remove it for non-https requests (currently only works for https) -->
    <rule name="No SameSite For HTTP">
     <conditions>
      <add input="{HTTPS}" pattern="off" ignoreCase="true" />
     </conditions>
     <match serverVariable="RESPONSE_Set_Cookie" pattern="(.*);(\s*)SameSite=None" />
     <action type="Rewrite" value="{R:1}" />
    </rule>


   </outboundRules>
</rewrite>
</system.webServer>

If you don't use the the <sessionState cookieSameSite="None" /> some newer ASP.NET Framework versions will by default render a SameSite=Lax. And if you just had the rewrite rules adding SameSite=None to all cookies you would get the SameSite attribute twice, which according to my tests work in SOME browsers like Chrome and Firefox (which will use the last occurrence of the SameSite attribute) but won't work in some like Edge (which uses the first occurrence of the attribute).

Since this first tag <sessionState cookieSameSite="None" /> will automatically set SameSite=None but will not automatically add Secure attribute, I've configured SameSite=None and Secure as independent rules. If I had it all in a single rule I would end up with duplicated attribute SameSite=None, which could break browsers (as explained above it's invalid and browsers may handle this inconsistently).

The Secure is only added if it's HTTPS request, so if you're still accepting HTTP connections your session cookies won't have the Secure added, which would make browsers ignore your cookie (and session wouldn't work at all). If you're behind a load balancer or reverse proxy you should use the HTTP_X_FORWARDED_PROTO attribute

Last, there's a bug in some versions of Safari in which the browser doesn't understand SameSite=None and treat it as SameSite=Strict. So for those specific versions you might decide not to render SameSite=None, although if not specified the default is still SameSite=Lax level, which might not be what you need (haven't found a solution for that).

C# – A cookie associated with a cross-site resource at “URL” was set without the `SameSite` attribute

From the OWASP cheatsheet for setting same site cookies to mitigate CSRF, when setting the same site attribute to none we have to set the secure flag on the cookie as well. This can be done by referring to this question adding httponly and secure flag for set cookie in java web application

All desktop browsers and almost all mobile browsers now support the SameSite attribute. To keep track of the browsers implementing it and the usage of the attribute, refer to the following service. Note that Chrome has announced that they will mark cookies as SameSite=Lax by default from Chrome 80 (due in February 2020), and Firefox and Edge are both planning to follow suit. Additionally, the Secure flag will be required for cookies that are marked as SameSite=None.

Best Answer

Related Solutions

How to reduce SameSite cookie attribute back to None in ASP.NET

C# – A cookie associated with a cross-site resource at “URL” was set without the `SameSite` attribute

Related Topic