0

In Google Chrome console I am getting this warning "A cookie associated with a cross-site resource at "URL" was set without the SameSite attribute". It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with SameSite=None and Secure. I verified the same under Application>Storage>Cookies their I found Same Site was "blank/Empty" and I want to update that into "None".

Tried some of the ways mentioned by other developers but nothing seems to be working for me.

Implementation 1: Updated my web.config with below mentioned code

<sessionState cookieSameSite="None" />
<httpCookies httpOnlyCookies="true" requireSSL="true" />

// sameSite="None" is not coming for me under httpCookies section and giving me a error message sameSite attribute is not allowed

Implementation 2: Modifed class file code where I am creating that Cookie

HttpCookie sessionCookie = new HttpCookie("Token");
sessionCookie.Value = sessionToken;
                sessionCookie.HttpOnly = true;
                sessionCookie.SameSite = SameSiteMode.None;
sessionCookie.Secure = FormsAuthentication.RequireSSL && Request.IsSecureConnection;
sessionCookie.Domain = Request.Url.Host;
Response.Cookies.Add(sessionCookie);

Implementation 3: Created a seperate MVC filter to Handle this

public override void OnActionExecuting(ActionExecutingContext filterContext)
        {
            var response = filterContext.RequestContext.HttpContext.Response;

            if (response != null)
            {
                response.AddHeader("Set-Cookie", "HttpOnly;Secure;SameSite=None");
            }

            base.OnActionExecuting(filterContext);
        }

Implementation 4: 

<rewrite>
  <outboundRules>
    <rule name="Add SameSite" preCondition="No SameSite">
      <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
      <action type="Rewrite" value="{R:0}; SameSite=None" />
      <conditions>
      </conditions>
    </rule>
    <preConditions>
      <preCondition name="No SameSite">
        <add input="{RESPONSE_Set_Cookie}" pattern="." />
        <add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=" negate="true" />
      </preCondition>
    </preConditions>
  </outboundRules>
</rewrite>

Target .net Framework 4.7.2

Is there anything I need to do in my local machine or server or anyway by which I can remove this warning message.

Abhinandan Julka
  • 3
  • 1
  • 2

2 Answers2

1

From the OWASP cheatsheet for setting same site cookies to mitigate CSRF, when setting the same site attribute to none we have to set the secure flag on the cookie as well. This can be done by referring to this question adding httponly and secure flag for set cookie in java web application

All desktop browsers and almost all mobile browsers now support the SameSite attribute. To keep track of the browsers implementing it and the usage of the attribute, refer to the following service. Note that Chrome has announced that they will mark cookies as SameSite=Lax by default from Chrome 80 (due in February 2020), and Firefox and Edge are both planning to follow suit. Additionally, the Secure flag will be required for cookies that are marked as SameSite=None.

Y4glory
  • 1,111
  • 6
  • 17
  • I have already added secure flag on my cookies and that is working as expected. However, I am facing issue while adding "SameSite =None" and already shared the ways I tried to achieve that. – Abhinandan Julka Apr 03 '20 at 08:24
  • Maybe this will help https://learn.microsoft.com/en-us/aspnet/samesite/system-web-samesite – Y4glory Apr 03 '20 at 08:31
  • It says there are some known issues where HttpCookies that explicitly set SameSite=None in code or configuration now have that value written with the cookie, whereas it was previously omitted. This may cause issues with older browsers that only support the 2016 draft standard. – Y4glory Apr 03 '20 at 08:31
1

Works for me

<configuration>
<system.web>
<httpCookies sameSite="None" requireSSL="true" />
</system.web>
</configuration>
MRRaja
  • 1,073
  • 12
  • 25