16

Chrome 76 will begin to support an explicit SameSite: None attribute

https://web.dev/samesite-cookies-explained/

I found that the current implementation of ASP.NET Core treats SameSiteMode.None as a no-op and does not send any attribute. How can I add a custom attribute to a cookie and thereby add an explicit SameSite: None to the cookie text?

Appending the attribute to the cookie value does not work as HttpResponse.Cookies.Append url-encodes the cookie value.

dmi_
  • 1,187
  • 2
  • 12
  • 26

5 Answers5

23

Same issue occurs in ASP.NET as in ASP.NET Core.

Until Microsoft produce a fix, a hack that's working for me is to replace

myCookie.Path = "/";
myCookie.SameSite = SameSiteMode.None;     // has no effect

with

myCookie.Path = "/; SameSite=None";

This adds SameSite=None to the set-cookie header in the HTTP response.

GStephens
  • 488
  • 4
  • 11
  • Even after upgrading to .NET Framework 4.8 and having access to HttpCookie.SameSite property, the CookieHeaderValue class used by HttpResponseMessage in our code still did not have this property available. This hack may be ugly but is what finally worked for me. Thanks! – Matt Zamec Dec 17 '20 at 17:14
  • I find that this clever hack works BUT only if you include the line "Cookie.SameSite = SameSiteMode.None;" – sevzas Feb 04 '22 at 18:49
16

It's now fixed in latest release of all versions of .NET Framework and .NET Core (https://github.com/aspnet/AspNetCore/issues/12125)

I have multiple projects running on .NET Core 2.2 and after upgrading to 2.2.207, I don't have the problem anymore.

Here a sample code present in ConfigureServices method of Startup.cs file

services.ConfigureApplicationCookie(options => {
     options.Cookie.SameSite = SameSiteMode.None;
});
Spikeh
  • 3,540
  • 4
  • 24
  • 49
Xavierh
  • 431
  • 5
  • 14
8

[Edit] If you are using all dlls and packages from nuget, you have to ensure Microsoft.Net.Http.Headers is in version 2.2.8 of above.

After last KB from microsoft in 10 december 2019, It should be fixed in .net framework and dotnetcore.

see:

  1. https://learn.microsoft.com/en-us/aspnet/samesite/system-web-samesite
  2. https://learn.microsoft.com/en-us/aspnet/samesite/kbs-samesite
Ygalbel
  • 5,214
  • 1
  • 24
  • 32
  • 1
    My ASP.Net Core v2.2 app absolutely would not output a SameSite=None cookie (short of setting a header manually as @dmi_ suggests) - any variety of attempts to do so resulted in an unspecified SameSite value. Installing Microsoft.Net.Http.Headers as you suggest resolved this. – quentin-starin Oct 10 '20 at 05:57
3

response.Headers.Append("set-Cookie", $"{cookieName}={cookieValue}; path=/; SameSite=None; Secure"); seems to work as expected.

I tested this by enabling same-site-by-default-cookies and cookies-without-same-site-must-be-secure in Chrome Dev 76

dmi_
  • 1,187
  • 2
  • 12
  • 26
0

Other answers have mentioned .Net Core fix, so I skip that part.

The .Net Framework fix is provided via a "Quality Rollup".

Here's the KB for .Net 4.8.

Here's the KB for .Net 4.7.2.

Here's the relevant MSDN source.

tsemer
  • 2,959
  • 3
  • 29
  • 26