33

Recently samesite=lax add automatically to my session cookie! this attribute just add to sessionID: "Set-Cookie ASP.NET_SessionId=zana3mklplqwewhwvika2125; path=/; HttpOnly; **SameSite=Lax**"

My website hosted on IIS 8.5, Windows 2012 R2, and dont have WAF or UrlRewrite and I turn off AntiVirus (kasper).

but yet have same problem on some customer servers.

any idea?

EDITED: I Find this: https://support.microsoft.com/en-us/help/4524419/kb4524419

ASP.NET will now emit a SameSite cookie header when HttpCookie.SameSite value is 'None' to accommodate upcoming changes to SameSite cookie handling in Chrome. As part of this change, FormsAuth and SessionState cookies will also be issued with SameSite = 'Lax' instead of the previous default of 'None', though these values can be overridden in web.config.

How can i overridde samesite cookies for SessionState in web.config? i add this line, but it not work on SessionID cookie! <httpCookies sameSite="Unspecified" />

EDITED: I find this: https://learn.microsoft.com/en-us/dotnet/api/system.web.configuration.sessionstatesection.cookiesamesite?view=netframework-4.8#System_Web_Configuration_SessionStateSection_CookieSameSite

Set samesite for stateserver by "cookieSameSite" attribute of SessionState tag.

Elliott Beach
  • 10,459
  • 9
  • 28
  • 41
Sadegh
  • 639
  • 1
  • 5
  • 14
  • Have you get it resolved by adding “ – Jokies Ding Dec 02 '19 at 08:28
  • 1
    i receive same message in iis, but it work and change samesite value in set-cookie time. i add cookieSameSite="None" to my web.config to get previuse behvior. notice that cookieSameSite is caseSesitive. – Sadegh Dec 02 '19 at 10:55
  • I just had to patch a 4.5.2 legacy site for this - SameSite wasn't supported by the configs so I had to intercept the cookie on Session_Start and rewrite it directly with "SameSite=None; Secure" added. – ParanoidCoder Feb 13 '20 at 01:27
  • @ParanoidCoder tank you for your suggest, i use .net 4.6.1 and it works for me. But i have a question about your solution: you use URL rewrite (extension of IIS) or you rewrite it by code in Session_Start, can you show me your code? – Sadegh Apr 06 '20 at 03:06
  • @ParanoidCoder Yes, can you please share Session_Start code? – Vaibhav Deshmukh Jun 25 '20 at 14:21
  • @Sadegh Which one you used to overcome on a problem ? – Vaibhav Deshmukh Jun 25 '20 at 14:22
  • @VaibhavDeshmukh i add cookieSameSite to sessionState. (same as accepted answer) – Sadegh Jul 05 '20 at 06:40

8 Answers8

24

Add these options to web.config for sameSite=None , Lax or Strict

<system.web>
    <httpCookies sameSite="None"/>
    <sessionState cookieSameSite="None" />
    <authentication mode="Forms">
        <forms cookieSameSite="None" />
    </authentication>
H. J. van der Wijk
  • 257
  • 1
  • 2
23

CookieSameSite attribute is not available for many older frameworks. If you're in the situation where the accepted answer is not supported in your environment, read on!

I modified upon several SO answers to come up with this URL rewrite that adds SameSite=None to session cookies, and also remove SameSite=None from all cookies for most incompatible browsers. The aim of this rewrite is to preserve the "legacy" behaviour pre-Chrome 80.

Full write-up in my Coder Frontline blog:

<rewrite>
  <outboundRules>
    <preConditions>
      <!-- Checks User Agent to identify browsers incompatible with SameSite=None -->
      <preCondition name="IncompatibleWithSameSiteNone" logicalGrouping="MatchAny">
        <add input="{HTTP_USER_AGENT}" pattern="(CPU iPhone OS 12)|(iPad; CPU OS 12)" />
        <add input="{HTTP_USER_AGENT}" pattern="(Chrome/5)|(Chrome/6)" />
        <add input="{HTTP_USER_AGENT}" pattern="( OS X 10_14).*(Version/).*((Safari)|(KHTML, like Gecko)$)" />
      </preCondition>
    </preConditions>

    <!-- Adds or changes SameSite to None for the session cookie -->
    <!-- Note that secure header is also required by Chrome and should not be added here -->
    <rule name="SessionCookieAddNoneHeader">
      <match serverVariable="RESPONSE_Set-Cookie" pattern="(.*ASP.NET_SessionId.*)" />
      <!-- Use this regex if your OS/framework/app adds SameSite=Lax automatically to the end of the cookie -->
      <!-- <match serverVariable="RESPONSE_Set-Cookie" pattern="((.*)(ASP.NET_SessionId)(=.*))(?=SameSite)" /> -->
      <action type="Rewrite" value="{R:1}; SameSite=None" />
    </rule>

    <!-- Removes SameSite=None header from all cookies, for most incompatible browsers -->
    <rule name="CookieRemoveSameSiteNone" preCondition="IncompatibleWithSameSiteNone">
      <match serverVariable="RESPONSE_Set-Cookie" pattern="(.*)(SameSite=None)" />
      <action type="Rewrite" value="{R:1}" />
    </rule>
  </outboundRules>
</rewrite>

This should work for most ASP .Net and ASP .Net Core applications, although newer Frameworks have proper code and config options to let you control this behaviour. I would recommend researching all the options available to you before using my rewrite above.

zemien
  • 562
  • 6
  • 17
  • Where do you put this in MVC 5? In ``````? – Joel Wiklund Mar 12 '20 at 09:26
  • 2
    In `` – zemien Mar 13 '20 at 05:50
  • 1
    Note: if the ASP.NET_SessionId-cookie already has `SameSite=Lax` this will only append `SameSite=None` and not replace it. – cederlof Apr 06 '20 at 09:01
  • @zemien I don't get why have the `(SameSite=.*)?` at all in the pattern? – cederlof Apr 06 '20 at 09:11
  • @cederlof I added `(SameSite=.*)?` to the pattern so that it will get replaced with `SameSite=None`. This rectifies the situation of your previous comment where newer .Net updates already add `SameSite=Lax` to the session cookie, by replacing it with the None version. Are you still seeing both SameSite headers even with the regex above? – zemien Apr 07 '20 at 03:31
  • @zemien Thanks! SameSite would still be in capture group 1 `{R:1}` from what I can see. https://regex101.com/r/7D9UdO/1 – cederlof Apr 07 '20 at 07:02
  • 2
    @cederlof you're right! I didn't test my regex properly because my environment was older .Net framework that did not add the Lax property automatically. In your case, you can use a different regex to exclude `SameSite=Lax` header: `((.*)(ASP.NET_SessionId)(=.*))(?=SameSite)` See updated https://regex101.com/r/7D9UdO/3 - however note that this regex will exclude anything you may want afterwards, such as the secure header. This should be a rare condition so the key point is to see what your OS+framework+app is emitting and write the regex to suit. I will update my answer to reflect both ways :) – zemien Apr 08 '20 at 07:58
  • 1
    Worked perfectly form me. I used: – Frijey Labs Mar 17 '22 at 13:33
14

I can't use rewrite, because UrlRewrite not installed on all my customers servers.

Finally i add cookieSameSite to my web.config:

<sessionState mode="StateServer" cookieSameSite="None" sqlConnectionString="data source=(local);user id=sa;password=" cookieless="false" timeout="20" />
Sadegh
  • 639
  • 1
  • 5
  • 14
  • 1
    I'm sorry @Sadegh.K, but it will not work before 4.7.2 as stated here: https://learn.microsoft.com/en-us/aspnet/samesite/system-web-samesite#using-samesite-in-aspnet-472-and-48 – cederlof Apr 01 '20 at 13:37
  • @cederlof i found this : https://support.microsoft.com/en-us/help/4533011/kb4533011 – Sadegh Apr 06 '20 at 03:26
  • @Sadegh Right, but that doesn't add the `cookieSameSite` functionality to web.config - .NET 4.7.2 does. The link I posted in my comment is also linked to from the page you refer to. – cederlof Apr 06 '20 at 08:39
  • @cederlof i agree with you, but after this update, I add this config to my web.config, and it works for me, and samesite="none" set on my site requests. – Sadegh Apr 06 '20 at 11:56
  • @Sadegh how to set the site to support Net 4.7.2 ? – developer learn999 Sep 29 '20 at 08:17
  • @developerlearn999 if you mean how set samesite in .net 4.7.2, just add cookieSameSite to your web.config such as above. – Sadegh Oct 06 '20 at 08:33
10

Last update: zemien's answer is more comprehensive and complete than mine. because it sets cookie based on user agent.

My Answer:

You can replace SameSite=Lax with SameSite=None for ASP.NET_SessionId in web.config following way:

<rewrite>
  <outboundRules>
    <rule name="AddSameSiteCookieFlag">
      <match serverVariable="RESPONSE_Set-Cookie" pattern="((.*)(ASP.NET_SessionId)(=.*))(SameSite=Lax)" />
      <action type="Rewrite" value="{R:1};SameSite=None" />
    </rule>
  </outboundRules>
</rewrite>

Update: To prevent IOS problem, replace

<action type="Rewrite" value="{R:1};SameSite=None" />

with

<action type="Rewrite" value="{R:1};" />
Mohammad Reza Sadreddini
  • 568
  • 4
  • 16
  • 4
    This is possible only if IIS rewriting module is installed on the server – Vincent Ducroquet Jan 22 '20 at 14:43
  • 1
    Your update for iOS problem will also cause problems in newer OSes. Basically speaking, some browsers/OS will assign SameSite=Lax if it is missing the SameSite header. I believe the only way is to do UserAgent sniffing and decide whether to include the header or not. I'm still researching if this can be done via web.config or it has to include a code change in Session_Start. – zemien Feb 22 '20 at 10:55
  • Just to highlight what @zemien writes, your iOS-update fixes one problem but introduces another. – cederlof Apr 01 '20 at 13:34
  • Why setting to None instead of strict? – aj go May 04 '21 at 10:52
  • @VincentDucroquet Do you know the "IIS rewriting module" charge fee or not when we install it? Thanks in advance! – Nguyễn Văn Phong Feb 14 '22 at 07:21
7

@zemien your solution correctly solved our google chrome issues

We have an integration where our application is embedded in an iframe on a third party. Chrome version 80 released Feb 4 2020 prevented cookies from loading.

However I had to modify the pattern to capture all cookies, add the Secure flag, and condition to not apply the rewrite on localhost for our local non https environment

<rule name="SessionCookieAddNoneHeader">
      <match serverVariable="RESPONSE_Set-Cookie" pattern="(.*)(SameSite=.*)?" />
      <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
        <add input="{HTTP_HOST}" pattern="localhost" negate="true" />
      </conditions>
      <action type="Rewrite" value="{R:1}; SameSite=None; Secure" />
</rule>
C Rudolph
  • 522
  • 7
  • 6
5

Works for me. Added into my web.config file :

<sessionState cookieSameSite="None"></sessionState>

Upgrade to .Net Framework 4.8 + installation patch : 2019-12 Cumulative Update for .NET Framework 3.5 and 4.8 for Windows 10 Version 1909 for x64 (KB4533002)

Stéphane
  • 51
  • 1
  • 1
3

4 machines with google chrome one would not work with cookies across sites on asp. Folow H. J. van der Wijk info for web.config

<system.web>
    <httpCookies sameSite="None"/>
    <sessionState cookieSameSite="None" />
    <authentication mode="Forms">
        <forms cookieSameSite="None" />
    </authentication>

still did not work, had to change

<httpCookies sameSite="None"/>

for

<httpCookies httpOnlyCookies="true" requireSSL="true" sameSite="None"/>

and all worked.

Thanks

c.almeida
  • 33
  • 3
1

Add these options to web.config for sameSite=None , Lax or Strict

<system.web>
    <httpCookies sameSite="None" requireSSL="true" />
    <sessionState cookieSameSite="None" />
    <authentication mode="Forms">
        <forms cookieSameSite="None" requireSSL="true" />
    </authentication>
</system.web>

This is supported since .Net Framework 4.7.2.

Docs on sessionState cookieSameSite
Docs on httpCookies sameSite
SameSite=None requires Secure (requireSSL="true"). Lax and Strict don't. sessionState doesn't have requireSSL and uses attribute from httpCookies.
Good article with explanation of SameSite in Google Chrome. Chrome blocks third-party cookie in iframe since version 80.

Vasiliy Zverev
  • 622
  • 5
  • 10