3

We have an ASP.NET based website. We have a requirement to run the site in a 3rd party's iframe. Various parts of the site recently stopped working in this iframe scenario and we've narrowed it down to user's using Chrome and the AspNet.ApplicationCookie as well as a couple custom cookies not being available while in the iframe (no issues running outside the iframe).

The site uses OWIN authentication, so I was able to upgrade to ASP.NET 4.8 and the OWIN Nuget packages. This allowed me to set the CookieSameSite property in the CookieAuthenticationOptions of the IAppBuilder. After that I can see the AspNet.ApplicationCookie was being marked as Secure and SameSite=None. Perfect.

For the custom cookies however, I can't seem to get the SameSite setting to work. Code for the cookie creation is:

HttpContext.Current.Response.SetCookie(new HttpCookie(key, value)
{
    Expires = expiration,
    SameSite = SameSiteMode.None,
    Secure = true
});

These cookies work outside the iframe. Using Chrome and Firefox dev tools I see they are marked as Secure but the SameSite setting is not set (specifically shows "unspecified" in Firefox dev tools) so they are still unavailable when running in the iframe.

Some related things:

  • We installed the latest 4.8 version of the .net framework so I don't believe we need to install any patches on the server to support SameSite.
  • Locally, the cookies' settings look correct. I can see cookies marked as Secure and SameSite=None. However this is failing on a load balanced server setup (2 Windows 2016 servers behind a load balancer).
  • Using chrome://flags/, I can set the SameSite by default cookies to Disabled and everything works as expected in the iframe. (I think this just validates that the issue is indeed SameSite).
  • I've tried to set the SameSite setting with config as well to no avail: <httpCookies requireSSL="true" sameSite="None" />

Am I creating the cookies wrong? Am I wrong about not needing a patch? Is there some way to determine if the load balancer is somehow to blame?

UPDATE - 8/17/2020

I've gotten no closer to explaining this. Something that does work for me is to use an outbound IIS rewrite to add "Secure; SameSite=None;" to all cookies - this seemed to be the common way to resolve this issue before the 4.7.2 and 4.8 updates.

The rewrite does ensure SameSite and Secure are set as expected. To me, that rules out the load balancer affecting cookies in any way.

If I am correct, that leaves just a code issue but, man, it seems pretty straightforward.

Jason Booth
  • 185
  • 1
  • 10

0 Answers0