ASP.NET - Request.Cookies no longer working in Chrome V80+

折月煮酒 提交于 2021-02-11 17:04:56

问题


In what is undoubtedly related to the Chromes samesite cookie policies released recently I am now having issues updating cookies in ASP.NET.


I have a simple cookie collection to store basic user settings. The cookie is both generated and updated using the code below.

SET COOKIE

If Response.Cookies("Settings") IsNot Nothing Then
  Dim cookie As HttpCookie = Request.Cookies("Settings")
  cookie("Setting01") = ddl.SelectedValue
  cookie.Expires = Date.Now.AddDays(365)
  Response.Cookies.Add(cookie)
End If

When the cookie is first created it appears correctly as below.

When the setting is updated and the code above called a second time the value is removed.


This only occurs in Chrome and only since I updated to Chrome V84

I have made the following recent changes in web.config to accommodate samesite requirements.

<sessionState cookieless="false" cookieSameSite="None" />
<httpCookies httpOnlyCookies="true" sameSite="None" requireSSL="true" />

WHERE IS THE ISSUE?

It is this part of the code that now returns nothing

Request.Cookies("Settings")

回答1:


SOLUTION

This issue was caused by not explicitly setting the SameSiteMode in code behind when creating a new cookie.

If Response.Cookies("Settings") IsNot Nothing Then
  Dim cookie As HttpCookie = Request.Cookies("Settings")
  cookie("Setting01") = ddl.SelectedValue
  cookie.Expires = Date.Now.AddDays(365)

  cookie.SameSite = SameSiteMode.Lax

  Response.Cookies.Add(cookie)
End If

Additionally setting SameSiteMode.None will not work. Presemuably to enforce that this cookie originated from the samesite.


BUT WHY?

I still don't fully understand why this is the case because if you set in web.config

<httpCookies httpOnlyCookies="true" sameSite="Lax" requireSSL="true" />

Then your newly created cookies are flagged as Lax in the Chrome and changing this setting is reflected like below:

However if you now try to read that cookie from code behind it's value will be erased. This is not the case is you exclusively set it in code behind.

I am not sure what makes the cookie different and is more likely an issue with the way .NET is handling this.


Any additional intel on this answer would be intriguing.




回答2:


As of Aug. 11, 2020, Chromium is now targeting 100% of users with SameSite cookie changes. (source: https://www.chromium.org/updates/same-site)

SameSite cookies FAQ: https://www.chromium.org/updates/same-site/faq



来源:https://stackoverflow.com/questions/63395986/asp-net-request-cookies-no-longer-working-in-chrome-v80

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!