17

I been trying to add sameSite = None attribute to my project cookies as a part of Chrome standards. I am using .net framework 4.8 and it supports sameSite for cookie (https://learn.microsoft.com/en-us/aspnet/samesite/system-web-samesite#using-samesite-in-aspnet-472-and-48), but i am not able to do it from web.config Please help if anyone has faced similar problem and resolved that.

Gaurav Chaudhary
  • 321
  • 1
  • 3
  • 15
  • 1
    i think this is somehow related to windows update for 4.8 framework and Visual Studio 2019 update. Somehow this is working now by doing the update – Gaurav Chaudhary Aug 05 '20 at 11:01
  • It's important that OP (Gaurav) pointed out that he is using 4.7.2, because the `sameSite` attribute in `web.config` `` element is only supported in .NET versions >= 4.7.2 ([as seen on their site](https://learn.microsoft.com/en-us/aspnet/samesite/system-web-samesite#net-versions-earlier-than-472)) – Nate Anderson Oct 21 '20 at 15:33

2 Answers2

25

This is only a warning because the attribute isn't included in Visual Studio yet. It shouldn't stop you compiling and will work in production because the latest browsers support it.

As Microsoft includes this in their official documentation I would use it as recommended and ignore the warning until an update is released with the same site parameter included.

<configuration>
 <system.web>
  <httpCookies sameSite="[Strict|Lax|None|Unspecified]" requireSSL="[true|false]" />
 <system.web>
<configuration>

As of Visual Studio Community 2022 Version 17.0.6 this is still not included.

(It might be safe to assume this will never get added to Visual Studio.)

DreamTeK
  • 32,537
  • 27
  • 112
  • 171
  • 1
    I tried setting sameSite="Strict" in my web.config but get the "sameSite attribute is not allowed" warning/error. I then tried launching my web site but got a 500 error. I'm using ASP.NET 4.7.2 and Visual Studio 2019 16.8.3... – Mark S Jan 05 '21 at 18:18
  • @MarkS You will still get the warning in visual studio as the attribute is still not included. If you are getting error 500, are you sure it is caused by this? What is your error message? – DreamTeK Jan 06 '21 at 11:01
  • I should have mentioned that I thought this would work because Gaurav said this should work with 4.7.2 and I'm on 4.7.2. Nevertheless, I got this to work. In my web.config file, I set the httpCookies tag with sameSite="Strict" and removed it from the forms and sessionState tags. The .ASPXAUTH parameter now shows SameSite as Strict and my app functions normally. – Mark S Jan 06 '21 at 20:26
  • @MarkS Accoriding to Microsoft (See link in answer) this attribute is supported from 4.7.2 – DreamTeK Jan 07 '21 at 09:45
-7

chrome://flags/#same-site-by-default-cookies

Paste In Browser Url

Disable It

Now Working fine

samesite=None

user15129439
  • 1