As per the recent update from Google Chrome, it only allows cross-platform cookies which having attribute
sameSite=None
Link: https://learn.microsoft.com/en-us/aspnet/samesite/system-web-samesite#net-versions-earlier-than-472
As per the above image, Microsoft doesn't provide build-in support of this Attribute for lower version then 4.7.2.
So, we are unable to set it while creating cookie at server side.
Is there any possible way we can create cookie with SameSite Attribute?
Assuming you have IIS' URL Rewrite Extension 2.0 installed (Azure App Services, nee Azure Websites, have this installed already) then you should look at @sreenath's answer as that solution should work for most users.
However (in my privileged position from within my ivory tower inside a giant egotistical bubble) there is no excuse for any project not already using .NET Framework 4.7.2 or later because the .NET Framework updates over the past 5+ years (Visual Studio 2013, onwards) have been largely additive and backwards-compatible. So I strongly urge developers to (try to) update their projects to .NET Framework 4.7.2 or 4.8 first before trying hacks like using IIS Rewrite to set the SameSite
cookie parameter.
How to set cookie attribute Samesite = None for .Net Framework earlier of 4.7.2 (for 4.5.2)
Simply put: You can't.
The article you linked to explains why (emphasis mine):
Microsoft does not support .NET versions lower that 4.7.2 for writing the same-site cookie attribute. We have not found a reliable way to:
- Ensure the attribute is written correctly based on browser version.
- Intercept and adjust authentication and session cookies on older framework versions
The only solution is to upgrade your project to .NET Framework 4.7.2 or later.
But the good news is that upgrading from .NET Framework 4.5 to 4.7.2 is easy with minimal, if any, backwards-compatibility issues. You don't even have to change anything in your web.config
file (i.e. you can still use ASP.NET WebForms 4.5 with .NET Framework 4.8).
All you need to do is:
.csproj
files in Notepad.<TargetFrameworkVersion>v4.5.2</TargetFrameworkVersion>
to <TargetFrameworkVersion>v4.7.2</TargetFrameworkVersion>
The only problems you'll run-into, in my experience, is:
packages
directory).Of course, I'll still chide your product's managers for not ensuring that their project is kept in working-order for seven years (As .NET Framework 4.5.2 was released in 2013). Why isn't there a CI pipeline set-up to handle this automatically?
You could achieve this by using IIS URL Rewrite module. This would need you to install the module on the Server itself, but this will give you the solution you are after I hope.
<rewrite>
<outboundRules>
<clear />
<rule name="Add SameSite" preCondition="No SameSite">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; SameSite=none;" />
<conditions>
</conditions>
</rule>
<preConditions>
<preCondition name="No SameSite">
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=none;" negate="true" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With