问题
Recently samesite=lax add automatically to my session cookie!
this attribute just add to sessionID:
"Set-Cookie ASP.NET_SessionId=zana3mklplqwewhwvika2125; path=/; HttpOnly; **SameSite=Lax**"
My website hosted on IIS 8.5, Windows 2012 R2, and dont have WAF or UrlRewrite and I turn off AntiVirus (kasper).
but yet have same problem on some customer servers.
any idea?
EDITED: I Find this: https://support.microsoft.com/en-us/help/4524419/kb4524419
ASP.NET will now emit a SameSite cookie header when HttpCookie.SameSite value is 'None' to accommodate upcoming changes to SameSite cookie handling in Chrome. As part of this change, FormsAuth and SessionState cookies will also be issued with SameSite = 'Lax' instead of the previous default of 'None', though these values can be overridden in web.config.
How can i overridde samesite cookies for SessionState in web.config?
i add this line, but it not work on SessionID cookie!
<httpCookies sameSite="Unspecified" />
EDITED: I find this: https://docs.microsoft.com/en-us/dotnet/api/system.web.configuration.sessionstatesection.cookiesamesite?view=netframework-4.8#System_Web_Configuration_SessionStateSection_CookieSameSite
Set samesite for stateserver by "cookieSameSite" attribute of SessionState tag.
回答1:
Add these options to web.config for sameSite=None , Lax or Strict
<system.web>
<httpCookies sameSite="None"/>
<sessionState cookieSameSite="None" />
<authentication mode="Forms">
<forms cookieSameSite="None" />
</authentication>
回答2:
I can't use rewrite, because UrlRewrite not installed on all my customers servers.
Finally i add cookieSameSite to my web.config:
<sessionState mode="StateServer" cookieSameSite="None" sqlConnectionString="data source=(local);user id=sa;password=" cookieless="false" timeout="20" />回答3:
You can replace SameSite=Lax with SameSite=None for ASP.NET_SessionId in web.config following way:
<rewrite>
<outboundRules>
<rule name="AddSameSiteCookieFlag">
<match serverVariable="RESPONSE_Set-Cookie" pattern="((.*)(ASP.NET_SessionId)(=.*))(SameSite=Lax)" />
<action type="Rewrite" value="{R:1};SameSite=None" />
</rule>
</outboundRules>
</rewrite>
Update: To prevent IOS problem, replace
<action type="Rewrite" value="{R:1};SameSite=None" />
with
<action type="Rewrite" value="{R:1};" />
回答4:
CookieSameSite attribute is not available for many older frameworks. If you're in the situation where the accepted answer is not supported in your environment, read on!
I modified upon several SO answers to come up with this URL rewrite that adds SameSite=None to session cookies, and also remove SameSite=None from all cookies for most incompatible browsers. The aim of this rewrite is to preserve the "legacy" behaviour pre-Chrome 80.
Full write-up in my Coder Frontline blog:
<rewrite>
<outboundRules>
<preConditions>
<!-- Checks User Agent to identify browsers incompatible with SameSite=None -->
<preCondition name="IncompatibleWithSameSiteNone" logicalGrouping="MatchAny">
<add input="{HTTP_USER_AGENT}" pattern="(CPU iPhone OS 12)|(iPad; CPU OS 12)" />
<add input="{HTTP_USER_AGENT}" pattern="(Chrome/5)|(Chrome/6)" />
<add input="{HTTP_USER_AGENT}" pattern="( OS X 10_14).*(Version/).*((Safari)|(KHTML, like Gecko)$)" />
</preCondition>
</preConditions>
<!-- Adds or changes SameSite to None for the session cookie -->
<!-- Note that secure header is also required by Chrome and should not be added here -->
<rule name="SessionCookieAddNoneHeader">
<match serverVariable="RESPONSE_Set-Cookie" pattern="((.*)(ASP.NET_SessionId)(=.*))(SameSite=.*)?" />
<action type="Rewrite" value="{R:1}; SameSite=None" />
</rule>
<!-- Removes SameSite=None header from all cookies, for most incompatible browsers -->
<rule name="CookieRemoveSameSiteNone" preCondition="IncompatibleWithSameSiteNone">
<match serverVariable="RESPONSE_Set-Cookie" pattern="(.*)(SameSite=None)" />
<action type="Rewrite" value="{R:1}" />
</rule>
</outboundRules>
</rewrite>
This should work for most ASP .Net and ASP .Net Core applications, although newer Frameworks have proper code and config options to let you control this behaviour. I would recommend researching all the options available to you before using my rewrite above.
来源:https://stackoverflow.com/questions/59117357/how-samesite-attribute-added-to-my-asp-net-sessionid-cookie-automatically