Menu
Recently samesite=lax add automatically to my session cookie! this attribute just add to sessionID: "Set-Cookie ASP.NET_SessionId=zana3mklplqwewhwvika2125; path=/; HttpOnly; **SameSite=Lax**"
My website hosted on IIS 8.5, Windows 2012 R2, and dont have WAF or UrlRewrite and I turn off AntiVirus (kasper).
but yet have same problem on some customer servers.
any idea?
EDITED: I Find this: https://support.microsoft.com/en-us/help/4524419/kb4524419
ASP.NET will now emit a SameSite cookie header when HttpCookie.SameSite value is 'None' to accommodate upcoming changes to SameSite cookie handling in Chrome. As part of this change, FormsAuth and SessionState cookies will also be issued with SameSite = 'Lax' instead of the previous default of 'None', though these values can be overridden in web.config.
How can i overridde samesite cookies for SessionState in web.config? i add this line, but it not work on SessionID cookie! <httpCookies sameSite="Unspecified" />
EDITED: I find this: https://docs.microsoft.com/en-us/dotnet/api/system.web.configuration.sessionstatesection.cookiesamesite?view=netframework-4.8#System_Web_Configuration_SessionStateSection_CookieSameSite
Set samesite for stateserver by "cookieSameSite" attribute of SessionState tag.
459
To prepare, Android allows native apps to set cookies directly through the CookieManager API. You must declare first party cookies as SameSite=Lax or SameSite=Strict , as appropriate. You must declare third party cookies as SameSite=None; Secure .
SameSite=None requires Secure The warning appears because any cookie that requests SameSite=None but is not marked Secure will be rejected. To fix this, you will have to add the Secure attribute to your SameSite=None cookies. A Secure cookie is only sent to the server with an encrypted request over the HTTPS protocol.
To test the effect of the new Chrome behavior on your site or cookies you manage, you can go to chrome://flags in Chrome 76+ and enable the "SameSite by default cookies" and "Cookies without SameSite must be secure" experiments.
Resolve this issue by updating the attributes of the cookie: Specify SameSite=None and Secure if the cookie is intended to be set in cross-site contexts. Note that only cookies sent over HTTPS may use the Secure attribute.
Add these options to web.config for sameSite=None , Lax or Strict
<system.web> <httpCookies sameSite="None"/> <sessionState cookieSameSite="None" /> <authentication mode="Forms"> <forms cookieSameSite="None" /> </authentication> If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
