I'm using the solution to set SameSite attribute to all cookies from this SoF answer: https://stackoverflow.com/a/38957177/2803237
Have to do it by URL Rewrite, can't upgrade to ASP.NET 4.7.2 right now - still using 4.6.1.
So, when I just copy it from the answer (with SameSite=Strict) it works and sets all my cookies to Strict. But if I make it Lax, only the Session ones get Lax, ones with the expiration date set remain in SameSite=Unset.
What can be the reason for this?
You might try setting the sameSite attribute of the <httpCookies> tag in your web.config, which will make all your cookies' SameSite attribute to Strict:
<configuration>
<system.web>
<httpCookies sameSite="Strict"/>
<system.web>
<configuration>
However you will need to install the corresponding Windows Update to get this setting work, or you will hit "configuration error" when you load the page. Please find appropriate KB based on your OS in https://learn.microsoft.com/en-us/aspnet/samesite/kbs-samesite
