SameSite None cookie attribute not set in Azure Web App

Question

To prepare for the upcoming changes to SameSite in Chrome 80, I have upgraded my .NET Framework API from 4.6.2 to 4.7.2.

I created a simple test-endpoint that simply sets a cookie with SameSite=None:

public class TestController : ApiController
{
    public IHttpActionResult Get()
    {
        var cookie = new HttpCookie("foo", "bar")
        {
            HttpOnly = true,
            Secure = true,
            SameSite = SameSiteMode.None
        };

        HttpContext.Current.Response.SetCookie(cookie);

        return Ok();
    }
}

This works as expected locally, and the following header is returned:

set-cookie: foo=bar; path=/; secure; HttpOnly; SameSite=None

However, this does not work when publishing to an Azure web app configured with 4.7 as runtime stack. The web app returns the cookie header without SameSite:

Set-Cookie: foo=bar; path=/; secure; HttpOnly

If I set it to Strict or Lax it works as expected in Azure too.

Is this an issue with Azure? Is there anything that needs to be configured on the web app to get this working, or perhaps I have to set the cookie in a different way?

Answer 1

From https://stackoverflow.com/a/38957177/1322009. One solution which also works on 4.6.1 is to add the following to your web.config

Edit: Chrome now wants you to include secure; on your cookies when using SameSite=none.

<system.webServer>
 <rewrite>
       <outboundRules>
            <clear />
            <rule name="Add SameSite" preCondition="No SameSite">
                <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
                <action type="Rewrite" value="{R:0}; secure; SameSite=none" />
                <conditions>
                </conditions>
            </rule>
            <preConditions>
                <preCondition name="No SameSite">
                    <add input="{RESPONSE_Set_Cookie}" pattern="." />
                    <add input="{RESPONSE_Set_Cookie}" pattern="; secure; SameSite=none" negate="true" />
                </preCondition>
            </preConditions>
        </outboundRules>
  </rewrite>
 </system.webServer>

This assumes url rewrite is installed when you are hosting your own iis site. https://www.iis.net/downloads/microsoft/url-rewrite

Answer 2

Azure will be updated before the end of the month - see the official announcement here: https://learn.microsoft.com/answers/questions/6842/announcement-samesite-cookie-handling-and-net-fram.html

We're seeing the same thing, updating to 4.7.2 specifically to address the same site issue.

It appears this was patched with a release from Microsoft on the 10th November, but not yet available on Azure.

The site being deployed targets .Net 4.7.2, and the changes work when tested locally as expected.

If we decompile the System.Web.dll (downloaded through Kudu) we’re seeing an older version that doesn’t handle samesite cookies.

This appears to be an issue for others (with 4.7.2 despite the 4.8 topic).

https://feedback.azure.com/forums/169385-web-apps/suggestions/37566262-upgrade-app-service-with-net-4-8

The timestamp on the System.Web.dll is 11/12/2019 but decompiled seeing:

  if (this._sameSite != SameSiteMode.None)
        {
            stringBuilder.Append("; SameSite=");
            stringBuilder.Append(this._sameSite);
        }

Barry Dorrans at Microsoft appears to confirm that this hasn't been rolled out yet to Azure at the bottom of this page: https://devblogs.microsoft.com/aspnet/upcoming-samesite-cookie-changes-in-asp-net-and-asp-net-core/ where we had raised this as an issue too.

EDIT: We've been informed that the patch is being rolled out to Azure starting this week, and expected to be completed by the 31st January.

The update officially communicated here: https://learn.microsoft.com/answers/questions/6842/announcement-samesite-cookie-handling-and-net-fram.html