发表新帖
发表新帖

how SameSite attribute added to my Asp.net_SessionID cookie automatically?

前端 未结
关注
7 1373
迷失自我
迷失自我 2020-11-30 06:47

Recently samesite=lax add automatically to my session cookie! this attribute just add to sessionID: \"Set-Cookie ASP.NET_SessionId=zana3mklplqwewhwvika2125; path=/; H

相关标签:
7条回答
  • 再見小時候
    2020-11-30 07:01

    Works for me. Added into my web.config file :

    <sessionState cookieSameSite="None"></sessionState>

    Upgrade to .Net Framework 4.8 + installation patch : 2019-12 Cumulative Update for .NET Framework 3.5 and 4.8 for Windows 10 Version 1909 for x64 (KB4533002)

    0 讨论(0)
  • 滥情空心
    2020-11-30 07:06

    Last update: zemien's answer is more comprehensive and complete than mine. because it sets cookie based on user agent.

    My Answer:

    You can replace SameSite=Lax with SameSite=None for ASP.NET_SessionId in web.config following way:

    <rewrite>
  <outboundRules>
    <rule name="AddSameSiteCookieFlag">
      <match serverVariable="RESPONSE_Set-Cookie" pattern="((.*)(ASP.NET_SessionId)(=.*))(SameSite=Lax)" />
      <action type="Rewrite" value="{R:1};SameSite=None" />
    </rule>
  </outboundRules>
</rewrite>

    Update: To prevent IOS problem, replace

    <action type="Rewrite" value="{R:1};SameSite=None" />

    with

    <action type="Rewrite" value="{R:1};" />
    0 讨论(0)
  • 慢半拍i
    2020-11-30 07:10

    4 machines with google chrome one would not work with cookies across sites on asp. Folow H. J. van der Wijk info for web.config

    <system.web>
    <httpCookies sameSite="None"/>
    <sessionState cookieSameSite="None" />
    <authentication mode="Forms">
        <forms cookieSameSite="None" />
    </authentication>

    still did not work, had to change

    <httpCookies sameSite="None"/>

    for

    <httpCookies httpOnlyCookies="true" requireSSL="true" sameSite="None"/>

    and all worked.

    Thanks

    0 讨论(0)
  • 忘掉有多难
    2020-11-30 07:13

    @zemien your solution correctly solved our google chrome issues

    We have an integration where our application is embedded in an iframe on a third party. Chrome version 80 released Feb 4 2020 prevented cookies from loading.

    However I had to modify the pattern to capture all cookies, add the Secure flag, and condition to not apply the rewrite on localhost for our local non https environment

    <rule name="SessionCookieAddNoneHeader">
      <match serverVariable="RESPONSE_Set-Cookie" pattern="(.*)(SameSite=.*)?" />
      <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
        <add input="{HTTP_HOST}" pattern="localhost" negate="true" />
      </conditions>
      <action type="Rewrite" value="{R:1}; SameSite=None; Secure" />
</rule>
    0 讨论(0)
  • 隐瞒了意图╮
    2020-11-30 07:14

    Add these options to web.config for sameSite=None , Lax or Strict

    <system.web>
    <httpCookies sameSite="None"/>
    <sessionState cookieSameSite="None" />
    <authentication mode="Forms">
        <forms cookieSameSite="None" />
    </authentication>
    0 讨论(0)
  • 夕颜
    2020-11-30 07:17

    I can't use rewrite, because UrlRewrite not installed on all my customers servers.

    Finally i add cookieSameSite to my web.config:

    <sessionState mode="StateServer" cookieSameSite="None" sqlConnectionString="data source=(local);user id=sa;password=" cookieless="false" timeout="20" />

    0 讨论(0)
 看不清?
提交回复
热议问题