How do I exclude SameSite attribute in .NET 4.5.2 web app

Question

I have a .NET 4.5.2 web app in which I need to pass an authentication cookie in a cross-site context. I am setting SameSite=None, by appending it to the Path

FormsAuthentication.SetAuthCookie(myUser, false, $"{FormsAuthentication.FormsCookiePath}; SameSite=None; Secure");,

Certain browsers are incompatible with SameSite=None (https://www.chromium.org/updates/same-site/incompatible-clients), and so I have to exclude it to support those browsers:

FormsAuthentication.SetAuthCookie(myUser, false, FormsAuthentication.FormsCookiePath);

In both cases, .NET is adding SameSite="Lax" to the cookie, so that in the first case the Set-Cookie header looks like:

AC7.AUTH=ABC; path=/; SameSite=None; secure; HttpOnly; SameSite=Lax

And in the second case:

AC7.AUTH=ABC; path=/; HttpOnly; SameSite=Lax

This seems to be introduced when we installed KB4530689 security update from Microsoft. We uninstalled that update, and it reverted back to not appending "SameSite=Lax" to all cookies. I'm not sure how to mitigate this issue long term, if Microsoft intended this behavior with older versions of .NET, or if there is another solution I am just not seeing. Any help is appreciated.

score 0 · Answer 1 · answered Mar 16 '20 at 11:46

0

I have been fighting this one as well. See https://learn.microsoft.com/en-us/aspnet/samesite/system-web-samesite We use iframe, and so a possible solution is to use a web.config change ... <forms cookieSameSite="None" />

answered Mar 16 '20 at 11:46

judek

313
2
8

How do I exclude SameSite attribute in .NET 4.5.2 web app

1 Answers1