I got bitten by the SameSite cookie attribute enforcement in Google Chrome few days ago. My problem is that I am on .NET 4.7.1 and upgrading the .NET Framework is "ticket based" so the lead time is prohibitive. The site itself uses ASPNET Identity to issue an authentication cookie. Configuration looks like below:
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/"),
CookieName = "cookie-name",
CookieSameSite = SameSiteMode.None,
CookieManager = new SystemWebCookieManagerInNet471(),
CookieSecure = CookieSecureOption.SameAsRequest,
Provider = new CookieAuthenticationProvider
{
OnApplyRedirect = ctx =>
{
if (!IsAjaxRequest(ctx.Request)) // Fail handler for HTTP request
{
// Stuff here
}
else
{
ctx.Response.Redirect(ctx.RedirectUri); // Fail handler for AJAX request
}
}
}
});
The workaround to set the SameSite attribute for my case is not ideal at all (URL Rewrite etc).
As per this, this and this I have set the CookieSameSite attribute (see above). However this does not work due to the static constructor acrobatics in here which binds the implementation to later versions of the .NET Framework.
In order to get around this Framework limitation I extended (sort of hacked) the SystemWebCookieManager. Gist (line no 107). Has anyone gone down this road? and hit strange behaviour in production.
I am aware this solution will not work for CSRF or SessionId cookie, but for my case this is ok. I also noticed that there is a Chunked cookie manager too, I think (+ hope) I'll not hit a chunking use case.
