I was surfing the web and found article Preventing CSRF with the same-site cookie attribute.
As on link maintain We need to add Set-Cookie header.
Set-Cookie: key=value; HttpOnly; SameSite=strict
Now My Question is, I want to set this in my ASP.NET site in all Cookies and Authentication Cookie. I tried to set this using header from IIS but someone says this is wrong way implementation.
I have also tried below.
HttpCookie newAuthenticationCookie = new HttpCookie(FormsAuthentication.FormsCookieName , FormsAuthentication.Encrypt(newAuthenticationTicket)) { HttpOnly = true }; newAuthenticationCookie.Values.Add("SameSite", "strict");
But it seems like not helping me.
Please suggest me a better way to do this.
Thanks.
Explain why the same-site cookie can help prevent CSRF attacks. The same-site cookie has a special attribute, SameSite, that is set by the servers. If this attribute is present, and it's value is Strict, the browser will not be sent along with cross-site requests.
SameSite=None requires Secure The warning appears because any cookie that requests SameSite=None but is not marked Secure will be rejected. To fix this, you will have to add the Secure attribute to your SameSite=None cookies. A Secure cookie is only sent to the server with an encrypted request over the HTTPS protocol.
Overview. SameSite prevents the browser from sending this cookie along with cross-site requests. The main goal is to mitigate the risk of cross-origin information leakage. It also provides some protection against cross-site request forgery attacks.
What is the SameSite attribute? The SameSite attribute tells browsers when and how to fire cookies in first- or third-party situations. SameSite is used by a variety of browsers to identify whether or not to allow a cookie to be accessed.
After Deep review on HttpCookie Source it's confirm that we cannot do this with the code, as there is no way to add extra attribute on Cookie and class is marked as sealed.
But still anyhow I manage solution by modifying web.config as below.
<rewrite> <outboundRules> <rule name="Add SameSite" preCondition="No SameSite"> <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" /> <action type="Rewrite" value="{R:0}; SameSite=strict" /> <conditions> </conditions> </rule> <preConditions> <preCondition name="No SameSite"> <add input="{RESPONSE_Set_Cookie}" pattern="." /> <add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=strict" negate="true" /> </preCondition> </preConditions> </outboundRules> </rewrite>
This add SameSite=strict on each Set-Cookie.
You can also set this in code when creating a cookie:
var httpCookie = new HttpCookie("mycookie", "myvalue"); httpCookie.Path += ";SameSite=Strict"; Response.SetCookie(httpCookie);
This will give you the following header:
Set-Cookie:mycookie=myvalue; path=/;SameSite=Strict
bit of a hack until it's pushed in to the framework.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With