Internet Explorer/Edge (not chromium) add additional SameSite=Lax when SameSite=None Secure

问题

I have .NET MVC application loaded in iframe in Microsoft Dynamics page. Initially the user will open the home page. The home controller redirects to the login page:

return RedirectToAction("Index", "Login", new { returnUrl = redirectURL, error = errorMessage });

This was OK before this update KB4533002 Cumulative Update for .NET adding SameSite=Lax when SameSite is None or not specified. Then I added outbound rules in the web config to send SameSite=None; Secure.

<rewrite>
      <outboundRules>
        <clear />
        <rule name="Add SameSite" preCondition="No SameSite">
          <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
          <action type="Rewrite" value="{R:0}; SameSite=None" />
        </rule>
        <rule name="Add Secure" preCondition="No Secure">
          <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
          <action type="Rewrite" value="{R:0}; Secure" />
        </rule>
        <preConditions>
          <preCondition name="No SameSite">
            <add input="{RESPONSE_Set_Cookie}" pattern="." />
            <add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=None" negate="true" />
          </preCondition>
          <preCondition name="No Secure">
            <add input="{RESPONSE_Set_Cookie}" pattern="." />
            <add input="{RESPONSE_Set_Cookie}" pattern="; Secure" negate="true" />
          </preCondition>
        </preConditions>
      </outboundRules>
    </rewrite>

This works in Chrome, Firefox and the latest Edge.

But Internet Explorer and Edge (not Chromium) are adding additional SameSite:

HttpOnly: true
path:/
SameSite: Lax
SameSite: None
Secure: true

Screenshot from Edge Developer Tools

Anyone with idea how to prevent this?

回答1:

It might because the default SameSite is set to lax. You could try to remove SameSite attribute by setting (SameSiteMode)(-1) according to this link:

On systems where these updates have been applied, you can specify the previous behavior by setting the SameSiteMode to (SameSiteMode)(-1). You can specify this behavior using the string Unspecified in web.config.

For more information about how to set it, you could refer to this article and this answer.

Besides, there're two similar threads you could also refer to:

(1) how SameSite attribute added to my Asp.net_SessionID cookie automatically?

(2) How to set SameSite cookie attribute to explicit None ASP NET Core

回答2:

Thank you Yu Zhou. This was helpful, but instead of Unspecified I set it to None.

<sessionState mode="SQLServer" sqlConnectionString="***" ... cookieless="UseCookies" cookieSameSite="None" />

This with the outbound rules (SameSite=None; Secure) worked for me.

来源：https://stackoverflow.com/questions/60076007/internet-explorer-edge-not-chromium-add-additional-samesite-lax-when-samesite