How to set SameSite cookie attribute to explicit None ASP NET Core

by

Chrome 76 will begin to support an explicit SameSite: None attribute

https://web.dev/samesite-cookies-explained/

I found that the current implementation of ASP.NET Core treats SameSiteMode.None as a no-op and does not send any attribute. How can I add a custom attribute to a cookie and thereby add an explicit SameSite: None to the cookie text?

Appending the attribute to the cookie value does not work as HttpResponse.Cookies.Append url-encodes the cookie value.

Contents hide
Answers:
Method 1
Method 2
Method 3
Method 4
Method 5

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

Same issue occurs in ASP.NET as in ASP.NET Core.

Until Microsoft produce a fix, a hack that’s working for me is to replace

myCookie.Path = "/";
myCookie.SameSite = SameSiteMode.None;     // has no effect

with

myCookie.Path = "/; SameSite=None";

This adds SameSite=None to the set-cookie header in the HTTP response.

Method 2

It’s now fixed in latest release of all versions of .NET Framework and .NET Core (https://github.com/aspnet/AspNetCore/issues/12125)

I have multiple projects running on .NET Core 2.2 and after upgrading to 2.2.207, I don’t have the problem anymore.

Here a sample code present in ConfigureServices method of Startup.cs file

services.ConfigureApplicationCookie(options => {
     options.Cookie.SameSite = SameSiteMode.None;
});

Method 3

[Edit]
If you are using all dlls and packages from nuget,
you have to ensure Microsoft.Net.Http.Headers is in version 2.2.8 of above.
After last KB from microsoft in 10 december 2019,
It should be fixed in .net framework and dotnetcore.

see:

  1. https://docs.microsoft.com/en-us/aspnet/samesite/system-web-samesite
  2. https://docs.microsoft.com/en-us/aspnet/samesite/kbs-samesite

Method 4

response.Headers.Append("set-Cookie", $"{cookieName}={cookieValue}; path=/; SameSite=None; Secure"); seems to work as expected.

I tested this by enabling same-site-by-default-cookies and cookies-without-same-site-must-be-secure in Chrome Dev 76

Method 5

Other answers have mentioned .Net Core fix, so I skip that part.

The .Net Framework fix is provided via a “Quality Rollup”.

Here‘s the KB for .Net 4.8.

Here‘s the KB for .Net 4.7.2.

Here‘s the relevant MSDN source.


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x