In order to avoid CSRF (Cross-site request forgery) most browsers are (since late 2019) automatically considering that any cookie which does not define SameSite attribute explicitly will be considered as Lax, instead of None which was the previous default.
And more recently (Feb 2020, since Chrome 80) browsers are also ignoring cookies which define SameSite=None and are not secure.
How can I change my session cookies to be automatically changed to None (to keep my SSO integrations working) in my Web.config?
Best Answer
EDIT of 2020-08-03: Chrome 85 doesn't allow insecure SameSite=None cookies
I've updated code accordingly: 1) only apply
SameSite=None
if connection is https; 2) only applySecure;
if connection is https; 3) removeSameSite=None
if it's http and samesite was added by the attributes (rewrite rules)Original response:
This is a pure web.config solution which:
SameSite=None
SameSite=None
to any cookie which does not explicitly defines SameSite attribute (using methods that work in all versions of framework, in the worst case if some attribute is not accepted you can just remove it)Secure
attribute to any cookie which is not yet secure (as long as it's https request)SameSite=None
if it was applied by previous rules and it's not valid due to lack of httpsIf you don't use the the
<sessionState cookieSameSite="None" />
some newer ASP.NET Framework versions will by default render aSameSite=Lax
. And if you just had the rewrite rules addingSameSite=None
to all cookies you would get the SameSite attribute twice, which according to my tests work in SOME browsers like Chrome and Firefox (which will use the last occurrence of the SameSite attribute) but won't work in some like Edge (which uses the first occurrence of the attribute).Since this first tag
<sessionState cookieSameSite="None" />
will automatically setSameSite=None
but will not automatically addSecure
attribute, I've configuredSameSite=None
andSecure
as independent rules. If I had it all in a single rule I would end up with duplicated attributeSameSite=None
, which could break browsers (as explained above it's invalid and browsers may handle this inconsistently).The
Secure
is only added if it's HTTPS request, so if you're still accepting HTTP connections your session cookies won't have theSecure
added, which would make browsers ignore your cookie (and session wouldn't work at all). If you're behind a load balancer or reverse proxy you should use the HTTP_X_FORWARDED_PROTO attributeLast, there's a bug in some versions of Safari in which the browser doesn't understand
SameSite=None
and treat it asSameSite=Strict
. So for those specific versions you might decide not to renderSameSite=None
, although if not specified the default is stillSameSite=Lax
level, which might not be what you need (haven't found a solution for that).