How to set SameSite cookie attribute to explicit None ASP NET Core

Question

Chrome 76 will begin to support an explicit SameSite: None attribute

https://web.dev/samesite-cookies-explained/

I found that the current imple

Answer 1

[Edit] If you are using all dlls and packages from nuget, you have to ensure Microsoft.Net.Http.Headers is in version 2.2.8 of above.

After last KB from microsoft in 10 december 2019, It should be fixed in .net framework and dotnetcore.

see:

1. https://docs.microsoft.com/en-us/aspnet/samesite/system-web-samesite
2. https://docs.microsoft.com/en-us/aspnet/samesite/kbs-samesite

Answer 2

Same issue occurs in ASP.NET as in ASP.NET Core.

Until Microsoft produce a fix, a hack that's working for me is to replace

myCookie.Path = "/";
myCookie.SameSite = SameSiteMode.None;     // has no effect

with

myCookie.Path = "/; SameSite=None";

This adds SameSite=None to the set-cookie header in the HTTP response.

Answer 3

Other answers have mentioned .Net Core fix, so I skip that part.

The .Net Framework fix is provided via a "Quality Rollup".

Here's the KB for .Net 4.8.

Here's the KB for .Net 4.7.2.

Here's the relevant MSDN source.

Answer 4

It's now fixed in latest release of all versions of .NET Framework and .NET Core (https://github.com/aspnet/AspNetCore/issues/12125)

I have multiple projects running on .NET Core 2.2 and after upgrading to 2.2.207, I don't have the problem anymore.

Here a sample code present in ConfigureServices method of Startup.cs file

services.ConfigureApplicationCookie(options => {
     options.Cookie.SameSite = SameSiteMode.None;
});

Answer 5

response.Headers.Append("set-Cookie", $"{cookieName}={cookieValue}; path=/; SameSite=None; Secure"); seems to work as expected.

I tested this by enabling same-site-by-default-cookies and cookies-without-same-site-must-be-secure in Chrome Dev 76