ASP.NET_SessionId cookie value is alway Lax in the SameSite

Question

I have an ASP.NET Web Application and the application need to open in an iframe in another site i.e. it should support cross-site cookies. I want to set SameSite=None; Secure in the web application. I put

<httpCookies sameSite="None" requireSSL="true" />

in the Web.config but the SameSite value in the cookie ASP.NET_SessionId is always Lax. Am I doing the right configuration in web.config?

score 2 · Accepted Answer · answered Jan 31 '20 at 22:33

2

The <httpCookies sameSite="..."> attribute in Web.config doesn't affect the ASP.NET_SessionId cookie. Set the <sessionState cookieSameSite="..."> attribute instead:

<system.web>
    <sessionState cookieSameSite="None" />
</system.web>

answered Jan 31 '20 at 22:33

Michael Liu

52,147
13
117
150

1

Even I changed to and my site is running in https, the cookie is always in SameSite=Lax. What could be the reason? – Simant Feb 02 '20 at 08:59
(1) Are you sure you're updating the correct Web.config? Try setting cookieSameSite to an invalid value like "ABC" and making sure it produces an error. (2) Make sure you've cleared all cookies in the browser so that a new session cookie is issued. Existing cookies will retain the original SameSite value even with this change. – Michael Liu Feb 02 '20 at 17:58
After clearing all existing cookies from the browser, it worked fine. Is it also needed to set for SameSite="None"? – Simant Feb 03 '20 at 12:17
Yes, you need to set `` so that the Secure attribute is added to the ASP.NET_SessionId cookie. (There is no separate attribute on `` like there is for `cookieSameSite`.) – Michael Liu Feb 03 '20 at 14:39

Simant · Answer 2 · 2020-08-18T08:30:35.503

After writing the below code in Global.asax, I am able to bring SameSite value to None.

        protected void Session_Start(object sender, EventArgs e)
        {
            Response.Cookies["ASP.NET_SessionId"].SameSite = SameSiteMode.None;
            //while we're at it lets also make it secure
            if (Request.IsSecureConnection)
                Response.Cookies["ASP.NET_SessionId"].Secure = true;
        }

An alternate way to achieve this is in the web.config file.

<system.web>
        <httpCookies requireSSL="true"/>
        <sessionState cookieSameSite="None"/>
</system.web>

score 0 · Answer 3 · edited Mar 10 '20 at 16:50

0

You don't need to address the cookies of the Response object in Session_Start ? Each time a new session starts ... Cookie NOT YET not available.

You can use

Request.Cookies[ASP.Net_SessionId"]

instead. I addressed the Request object and problem solved.

edited Mar 10 '20 at 16:50

Bhargav Rao

50,140
28
121
140

answered Mar 10 '20 at 15:23

Roeland Verwilligen

1
1

ASP.NET_SessionId cookie value is alway Lax in the SameSite

3 Answers3

Linked