How to set cookie attribute Samesite = None for .Net Framework earlier of 4.7.2 (for 4.5.2)

Question

As per the recent update from Google Chrome, it only allows cross-platform cookies which having attribute

sameSite=None

Link: https://learn.microsoft.com/en-us/aspnet/samesite/system-web-samesite#net-versions-earlier-than-472

As per the above image, Microsoft doesn't provide build-in support of this Attribute for lower version then 4.7.2.

So, we are unable to set it while creating cookie at server side.

Is there any possible way we can create cookie with SameSite Attribute?

Answer 1

UPDATE:

Assuming you have IIS' URL Rewrite Extension 2.0 installed (Azure App Services, nee Azure Websites, have this installed already) then you should look at @sreenath's answer as that solution should work for most users.

However (in my privileged position from within my ivory tower inside a giant egotistical bubble) there is no excuse for any project not already using .NET Framework 4.7.2 or later because the .NET Framework updates over the past 5+ years (Visual Studio 2013, onwards) have been largely additive and backwards-compatible. So I strongly urge developers to (try to) update their projects to .NET Framework 4.7.2 or 4.8 first before trying hacks like using IIS Rewrite to set the SameSite cookie parameter.

My original answer:

How to set cookie attribute Samesite = None for .Net Framework earlier of 4.7.2 (for 4.5.2)

Simply put: You can't.

The article you linked to explains why (emphasis mine):

Microsoft does not support .NET versions lower that 4.7.2 for writing the same-site cookie attribute. We have not found a reliable way to:

• Ensure the attribute is written correctly based on browser version.
• Intercept and adjust authentication and session cookies on older framework versions

The only solution is to upgrade your project to .NET Framework 4.7.2 or later.

But the good news is that upgrading from .NET Framework 4.5 to 4.7.2 is easy with minimal, if any, backwards-compatibility issues. You don't even have to change anything in your web.config file (i.e. you can still use ASP.NET WebForms 4.5 with .NET Framework 4.8).

All you need to do is:

1. Make a new git commit.
2. Open your .csproj files in Notepad.
3. Change <TargetFrameworkVersion>v4.5.2</TargetFrameworkVersion> to <TargetFrameworkVersion>v4.7.2</TargetFrameworkVersion>
4. Save.
5. Reopen your projects/solutions in Visual Studio and click rebuild.

The only problems you'll run-into, in my experience, is:

• Needing to refresh/reinstall NuGet packages, as NuGet really doesn't handle target-framework changes easily. This is straightforward to fix (just nuke your packages directory).
• Non-NuGet dependencies (like old-school WinForms components, ew) that have special installation steps that for some reason have a hard dependency on a specific .NET Framework version - in which case I'll be very surprised if your component vendor doesn't have an update.

Of course, I'll still chide your product's managers for not ensuring that their project is kept in working-order for seven years (As .NET Framework 4.5.2 was released in 2013). Why isn't there a CI pipeline set-up to handle this automatically?

Answer 2

You could achieve this by using IIS URL Rewrite module. This would need you to install the module on the Server itself, but this will give you the solution you are after I hope.

<rewrite>
      <outboundRules>
        <clear />
        <rule name="Add SameSite" preCondition="No SameSite">
          <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
 
          <action type="Rewrite" value="{R:0}; SameSite=none;" />
          <conditions>
          </conditions>
        </rule>
        <preConditions>
          <preCondition name="No SameSite">
            <add input="{RESPONSE_Set_Cookie}" pattern="." />
            <add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=none;" negate="true" />
          </preCondition>
        </preConditions>
      </outboundRules>
    </rewrite>