0

I have an ASP.NET application mapped to a URL for a specific domain that contains a page that loads an IFRAME whose src points to a URL (also an ASP.NET application) for another domain.

I can get both ASP.NET applications to work concurrently when they're opened within separate windows in a single browser.

However, when a page in the first application attempts to load the second within an IFRAME, the the second application doesn't appear to receive a cookie (i. e. Set-Cookie) from the web server for the application (IISExpress) nor transmit one back to the server.

The two applications each have separate functionality and are running within VisualStudio, (which is using IISExpress as the web server).

Based on what I've read, to make IFRAMEs receive and transmit session cookies, the web server must transmit SameSite="none" at the end of the Set-Cookie header.

Target framework for my application(s) is ASP.NET Core 6.0, I'm using MS VisualStudio 2022 (v 17.5.4) for building and running (w/IISExpress as the web server). Apparently, in this version the option to set SameSite="none" within the web.config file, i. e.

<configuration>
 <system.web>
  <httpCookies sameSite="None" requireSSL="false" />
 <system.web>
<configuration>

is NOT available (the "sameSite" attribute is not recognized, was available until ASP.NET v 4.8)

So I'm wondering if there's some other config file or option within web.config I can set to force the web server to send sameSite="None" in the Set-Cookie headers.

So far, I couldn't find any online doc on such an option, though apparently this is possible by writing C# code...

https://learn.microsoft.com/en-us/aspnet/core/security/samesite?view=aspnetcore-7.0

But what I'm looking for is a simple option/setting within a config file. Thanks

prancer71
  • 31
  • 2
  • Have you tried to use `Cookie.SameSite = SameSiteMode.None`? Refer to this [link](https://stackoverflow.com/questions/56066832/how-to-set-samesite-cookie-attribute-to-explicit-none-asp-net-core). – Xinran Shen May 17 '23 at 02:01
  • Yes, that works. However, in my case, the application wasn't written by me, but by another firm, and adding/modifying C# code to alter its behavior is somewhat cumbersome. For that reason, I wanted some method by which the session cookie behavior could be modified in web.config – prancer71 May 17 '23 at 15:49

1 Answers1

0

Solution is to add a section under <system.webServer> in web.config that replaces the default "samesite=lax" w/"samesite=none" ...

<system.webServer>
  <rewrite>
    <outboundRules>
      <clear />
      <rule name="Replace SameSite">
        <match serverVariable="RESPONSE_Set_Cookie" pattern="(.*)samesite=lax(.*)" negate="false" />
        <action type="Rewrite" value="{R:1}samesite=none{R:2}" />
      </rule>
    </outboundRules>
  </rewrite>
    ...
<system.webServer>
prancer71
  • 31
  • 2