Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to set cookie attribute Samesite = None for .Net Framework earlier of 4.7.2 (for 4.5.2)

As per the recent update from Google Chrome, it only allows cross-platform cookies which having attribute

sameSite=None

enter image description here

Link: https://learn.microsoft.com/en-us/aspnet/samesite/system-web-samesite#net-versions-earlier-than-472

As per the above image, Microsoft doesn't provide build-in support of this Attribute for lower version then 4.7.2.

So, we are unable to set it while creating cookie at server side.

Is there any possible way we can create cookie with SameSite Attribute?

like image 346
Smit Patel Avatar asked Dec 30 '22 21:12

Smit Patel


2 Answers

UPDATE:

Assuming you have IIS' URL Rewrite Extension 2.0 installed (Azure App Services, nee Azure Websites, have this installed already) then you should look at @sreenath's answer as that solution should work for most users.

However (in my privileged position from within my ivory tower inside a giant egotistical bubble) there is no excuse for any project not already using .NET Framework 4.7.2 or later because the .NET Framework updates over the past 5+ years (Visual Studio 2013, onwards) have been largely additive and backwards-compatible. So I strongly urge developers to (try to) update their projects to .NET Framework 4.7.2 or 4.8 first before trying hacks like using IIS Rewrite to set the SameSite cookie parameter.

My original answer:

How to set cookie attribute Samesite = None for .Net Framework earlier of 4.7.2 (for 4.5.2)

Simply put: You can't.

The article you linked to explains why (emphasis mine):

Microsoft does not support .NET versions lower that 4.7.2 for writing the same-site cookie attribute. We have not found a reliable way to:

  • Ensure the attribute is written correctly based on browser version.
  • Intercept and adjust authentication and session cookies on older framework versions

The only solution is to upgrade your project to .NET Framework 4.7.2 or later.

But the good news is that upgrading from .NET Framework 4.5 to 4.7.2 is easy with minimal, if any, backwards-compatibility issues. You don't even have to change anything in your web.config file (i.e. you can still use ASP.NET WebForms 4.5 with .NET Framework 4.8).

All you need to do is:

  1. Make a new git commit.
  2. Open your .csproj files in Notepad.
  3. Change <TargetFrameworkVersion>v4.5.2</TargetFrameworkVersion> to <TargetFrameworkVersion>v4.7.2</TargetFrameworkVersion>
  4. Save.
  5. Reopen your projects/solutions in Visual Studio and click rebuild.

The only problems you'll run-into, in my experience, is:

  • Needing to refresh/reinstall NuGet packages, as NuGet really doesn't handle target-framework changes easily. This is straightforward to fix (just nuke your packages directory).
  • Non-NuGet dependencies (like old-school WinForms components, ew) that have special installation steps that for some reason have a hard dependency on a specific .NET Framework version - in which case I'll be very surprised if your component vendor doesn't have an update.

Of course, I'll still chide your product's managers for not ensuring that their project is kept in working-order for seven years (As .NET Framework 4.5.2 was released in 2013). Why isn't there a CI pipeline set-up to handle this automatically?

like image 98
Dai Avatar answered Jan 31 '23 09:01

Dai


You could achieve this by using IIS URL Rewrite module. This would need you to install the module on the Server itself, but this will give you the solution you are after I hope.

<rewrite>
      <outboundRules>
        <clear />
        <rule name="Add SameSite" preCondition="No SameSite">
          <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
 
          <action type="Rewrite" value="{R:0}; SameSite=none;" />
          <conditions>
          </conditions>
        </rule>
        <preConditions>
          <preCondition name="No SameSite">
            <add input="{RESPONSE_Set_Cookie}" pattern="." />
            <add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=none;" negate="true" />
          </preCondition>
        </preConditions>
      </outboundRules>
    </rewrite>
like image 37
Sreenath Avatar answered Jan 31 '23 08:01

Sreenath