5

As per the recent update from Google Chrome, it only allows cross-platform cookies which having attribute

sameSite=None

enter image description here

Link: https://learn.microsoft.com/en-us/aspnet/samesite/system-web-samesite#net-versions-earlier-than-472

As per the above image, Microsoft doesn't provide build-in support of this Attribute for lower version then 4.7.2.

So, we are unable to set it while creating cookie at server side.

Is there any possible way we can create cookie with SameSite Attribute?

Smit Patel
  • 2,992
  • 1
  • 26
  • 44
  • Is there a reason you can't update your project to .NET Framework 4.7.2 or later? Production environments will all be running .NET Framework 4.8 now anyway - even if your project targets an older version of 4.x. – Dai Sep 15 '20 at 05:41
  • @Dai Yes we are on a way to switch the framework to 4.7.2, but till that time we want this things up & running. – Smit Patel Sep 15 '20 at 05:43
  • Ok, but the code changes also needed right for Prod environment to be up & running with this change? – Smit Patel Sep 15 '20 at 05:45
  • Why are you switching to .NET Framework 4.7.2 instead of 4.8? – Dai Sep 15 '20 at 05:54

3 Answers3

5

UPDATE:

Assuming you have IIS' URL Rewrite Extension 2.0 installed (Azure App Services, nee Azure Websites, have this installed already) then you should look at @sreenath's answer as that solution should work for most users.

However (in my privileged position from within my ivory tower inside a giant egotistical bubble) there is no excuse for any project not already using .NET Framework 4.7.2 or later because the .NET Framework updates over the past 5+ years (Visual Studio 2013, onwards) have been largely additive and backwards-compatible. So I strongly urge developers to (try to) update their projects to .NET Framework 4.7.2 or 4.8 first before trying hacks like using IIS Rewrite to set the SameSite cookie parameter.

My original answer:

How to set cookie attribute Samesite = None for .Net Framework earlier of 4.7.2 (for 4.5.2)

Simply put: You can't.

The article you linked to explains why (emphasis mine):

Microsoft does not support .NET versions lower that 4.7.2 for writing the same-site cookie attribute. We have not found a reliable way to:

  • Ensure the attribute is written correctly based on browser version.
  • Intercept and adjust authentication and session cookies on older framework versions

The only solution is to upgrade your project to .NET Framework 4.7.2 or later.

But the good news is that upgrading from .NET Framework 4.5 to 4.7.2 is easy with minimal, if any, backwards-compatibility issues. You don't even have to change anything in your web.config file (i.e. you can still use ASP.NET WebForms 4.5 with .NET Framework 4.8).

All you need to do is:

  1. Make a new git commit.
  2. Open your .csproj files in Notepad.
  3. Change <TargetFrameworkVersion>v4.5.2</TargetFrameworkVersion> to <TargetFrameworkVersion>v4.7.2</TargetFrameworkVersion>
  4. Save.
  5. Reopen your projects/solutions in Visual Studio and click rebuild.

The only problems you'll run-into, in my experience, is:

  • Needing to refresh/reinstall NuGet packages, as NuGet really doesn't handle target-framework changes easily. This is straightforward to fix (just nuke your packages directory).
  • Non-NuGet dependencies (like old-school WinForms components, ew) that have special installation steps that for some reason have a hard dependency on a specific .NET Framework version - in which case I'll be very surprised if your component vendor doesn't have an update.

Of course, I'll still chide your product's managers for not ensuring that their project is kept in working-order for seven years (As .NET Framework 4.5.2 was released in 2013). Why isn't there a CI pipeline set-up to handle this automatically?

Dai
  • 141,631
  • 28
  • 261
  • 374
  • 2
    Ii am not sure how this is an answer, while this just says update framework and the original question says they can't update. This answer is just pointing to the other answer. – Sreenath Sep 22 '20 at 09:51
  • @Sreenath The OP didn't say they "can't update" - they said they were currently updating to 4.7.2, but they were looking for a solution they could implement sooner. – Dai Sep 22 '20 at 09:56
5

You could achieve this by using IIS URL Rewrite module. This would need you to install the module on the Server itself, but this will give you the solution you are after I hope.

<rewrite>
      <outboundRules>
        <clear />
        <rule name="Add SameSite" preCondition="No SameSite">
          <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
 
          <action type="Rewrite" value="{R:0}; SameSite=none;" />
          <conditions>
          </conditions>
        </rule>
        <preConditions>
          <preCondition name="No SameSite">
            <add input="{RESPONSE_Set_Cookie}" pattern="." />
            <add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=none;" negate="true" />
          </preCondition>
        </preConditions>
      </outboundRules>
    </rewrite>
Sreenath
  • 101
  • 1
  • 5
  • 1
    This answer is great (+1) and I'm surprised Microsoft didn't mention it in their article. That said, the regex patterns in the `` could be tightened up, as a trailing semicolon isn't necessary and spaces can be optional so this rule might incorrectly match some outgoing responses. – Dai Sep 16 '20 at 23:46
  • @Dai I am very new to this url rewrite, happy to update / improve the answer. – Sreenath Sep 17 '20 at 13:51
  • Do we need to write this in Web.config file @Sreenath – Ankita Sep 19 '20 at 11:30
  • @ankita Yes. This will be under "system.webServer" section. – Sreenath Sep 20 '20 at 09:51
  • 1
    @Ankita Note that this solution requires your web-server to have the IIS URL Rewrite extension installed. – Dai Sep 22 '20 at 08:41
  • Actually, I just realised why Microsoft won't officially propose this as a solution: it's because some web-browsers (most notably older versions of macOS Safari and iOS Safari, and Internet Explorer 11 users who don't have a particular 2018 patch installed) actually treat `SameSite=None` the same as `SameSite=Strict` - **for those browsers the `SameSite` option should not be specified at all**. So if you need to support IE11 and/or certain versions of Safari used between 2016 and 2018 then there's no real solution at all :/ – Dai Sep 22 '20 at 09:59
  • 2
    to make it work for me, I had to also specify the Secure attribute. – Alex Jan 04 '21 at 18:08
1

The simplest way to achieve this for earlier .NET versions, is to create the header directly: Response.Headers.Add("set-cookie", "mysessioncookie=theValue; path=/; SameSite=Strict")

Wolfgang Grinfeld
  • 870
  • 10
  • 11