SameSite None cookie attribute not set in Azure Web App

Question

To prepare for the upcoming changes to SameSite in Chrome 80, I have upgraded my .NET Framework API from 4.6.2 to 4.7.2.

I created a simple test-endpoint that simply sets a cookie with SameSite=None:

public class TestController : ApiController
{
    public IHttpActionResult Get()
    {
        var cookie = new HttpCookie("foo", "bar")
        {
            HttpOnly = true,
            Secure = true,
            SameSite = SameSiteMode.None
        };

        HttpContext.Current.Response.SetCookie(cookie);

        return Ok();
    }
}

This works as expected locally, and the following header is returned:

set-cookie: foo=bar; path=/; secure; HttpOnly; SameSite=None

However, this does not work when publishing to an Azure web app configured with 4.7 as runtime stack. The web app returns the cookie header without SameSite:

Set-Cookie: foo=bar; path=/; secure; HttpOnly

If I set it to Strict or Lax it works as expected in Azure too.

Is this an issue with Azure? Is there anything that needs to be configured on the web app to get this working, or perhaps I have to set the cookie in a different way?

Answer 1

From https://stackoverflow.com/a/38957177/1322009. One solution which also works on 4.6.1 is to add the following to your web.config

Edit: Chrome now wants you to include secure; on your cookies when using SameSite=none.

<system.webServer>
 <rewrite>
       <outboundRules>
            <clear />
            <rule name="Add SameSite" preCondition="No SameSite">
                <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
                <action type="Rewrite" value="{R:0}; secure; SameSite=none" />
                <conditions>
                </conditions>
            </rule>
            <preConditions>
                <preCondition name="No SameSite">
                    <add input="{RESPONSE_Set_Cookie}" pattern="." />
                    <add input="{RESPONSE_Set_Cookie}" pattern="; secure; SameSite=none" negate="true" />
                </preCondition>
            </preConditions>
        </outboundRules>
  </rewrite>
 </system.webServer>

This assumes url rewrite is installed when you are hosting your own iis site. https://www.iis.net/downloads/microsoft/url-rewrite

Answer 2

Azure will be updated before the end of the month - see the official announcement here: https://learn.microsoft.com/answers/questions/6842/announcement-samesite-cookie-handling-and-net-fram.html

We're seeing the same thing, updating to 4.7.2 specifically to address the same site issue.

It appears this was patched with a release from Microsoft on the 10th November, but not yet available on Azure.

The site being deployed targets .Net 4.7.2, and the changes work when tested locally as expected.

If we decompile the System.Web.dll (downloaded through Kudu) we’re seeing an older version that doesn’t handle samesite cookies.

This appears to be an issue for others (with 4.7.2 despite the 4.8 topic).

https://feedback.azure.com/forums/169385-web-apps/suggestions/37566262-upgrade-app-service-with-net-4-8

The timestamp on the System.Web.dll is 11/12/2019 but decompiled seeing:

  if (this._sameSite != SameSiteMode.None)
        {
            stringBuilder.Append("; SameSite=");
            stringBuilder.Append(this._sameSite);
        }

Barry Dorrans at Microsoft appears to confirm that this hasn't been rolled out yet to Azure at the bottom of this page: https://devblogs.microsoft.com/aspnet/upcoming-samesite-cookie-changes-in-asp-net-and-asp-net-core/ where we had raised this as an issue too.

EDIT: We've been informed that the patch is being rolled out to Azure starting this week, and expected to be completed by the 31st January.

The update officially communicated here: https://learn.microsoft.com/answers/questions/6842/announcement-samesite-cookie-handling-and-net-fram.html

Answer 3

The Same site cookie changes addressed on dot Net Framework 4.7.2 and onwards.

If you want to confirm these changes at App Service please navigate to Kudu(SCM) endpoint and under environment variable you should be able to find the App Service Platform version.

Same Site cookie update available on App Service Version : 86.0.7.148 (or later).

Complete Details of changes can be found at https://azure.microsoft.com/en-in/updates/app-service-samesite-cookie-update/

If you're impacted because of these changes, you can unblock yourself temporarily using below configuration changes:

<configuration>
        <system.web>
              <sessionState cookieSameSite="None" />
        </system.web>
</configuration>

On Chrome browser version 80 and above which will be Chromium even these configurations may not work and need to make the code fix.

Please note that with the above changes the older browser will not work; Apps accessed from older browsers which support the 2016 SameSite standard may break when they get a SameSite property with a value of None.

You can check the User Agent(Browser) using httpContext.Request.UserAgent

Hope the above information will help you :)