In what is undoubtedly related to the Chromes samesite cookie policies released recently I am now having issues updating cookies in ASP.NET.
I have a simple cookie collection to store basic user settings.
The cookie is both generated and updated using the code below.
SET COOKIE
If Response.Cookies("Settings") IsNot Nothing Then
Dim cookie As HttpCookie = Request.Cookies("Settings")
cookie("Setting01") = ddl.SelectedValue
cookie.Expires = Date.Now.AddDays(365)
Response.Cookies.Add(cookie)
End If
When the cookie is first created it appears correctly as below.
When the setting is updated and the code above called a second time the value is removed.
This only occurs in Chrome and only since I updated to Chrome V84
I have made the following recent changes in web.config to accommodate samesite requirements.
<sessionState cookieless="false" cookieSameSite="None" /> <httpCookies httpOnlyCookies="true" sameSite="None" requireSSL="true" />
WHERE IS THE ISSUE?
It is this part of the code that now returns nothing
Request.Cookies("Settings")
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
SOLUTION
This issue was caused by not explicitly setting the SameSiteMode in code behind when creating a new cookie.
If Response.Cookies("Settings") IsNot Nothing Then
Dim cookie As HttpCookie = Request.Cookies("Settings")
cookie("Setting01") = ddl.SelectedValue
cookie.Expires = Date.Now.AddDays(365)
cookie.SameSite = SameSiteMode.Lax
Response.Cookies.Add(cookie)
End If
Additionally setting SameSiteMode.None will not work. Presemuably to enforce that this cookie originated from the samesite.
BUT WHY?
I still don’t fully understand why this is the case because if you set in web.config
<httpCookies httpOnlyCookies="true" sameSite="Lax" requireSSL="true" />
Then your newly created cookies are flagged as Lax in the Chrome and changing this setting is reflected like below:
However if you now try to read that cookie from code behind it’s value will be erased.
This is not the case is you exclusively set it in code behind.
I am not sure what makes the cookie different and is more likely an issue with the way .NET is handling this.
Any additional intel on this answer would be intriguing.
Method 2
As of Aug. 11, 2020, Chromium is now targeting 100% of users with SameSite cookie changes. (source: https://www.chromium.org/updates/same-site)
SameSite cookies FAQ: https://www.chromium.org/updates/same-site/faq
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0