问题
In what is undoubtedly related to the Chromes samesite cookie policies released recently I am now having issues updating cookies in ASP.NET.
I have a simple cookie collection to store basic user settings. The cookie is both generated and updated using the code below.
SET COOKIE
If Response.Cookies("Settings") IsNot Nothing Then
Dim cookie As HttpCookie = Request.Cookies("Settings")
cookie("Setting01") = ddl.SelectedValue
cookie.Expires = Date.Now.AddDays(365)
Response.Cookies.Add(cookie)
End If
When the cookie is first created it appears correctly as below.
When the setting is updated and the code above called a second time the value is removed.
This only occurs in Chrome and only since I updated to Chrome V84
I have made the following recent changes in web.config to accommodate samesite requirements.
<sessionState cookieless="false" cookieSameSite="None" />
<httpCookies httpOnlyCookies="true" sameSite="None" requireSSL="true" />
WHERE IS THE ISSUE?
It is this part of the code that now returns nothing
Request.Cookies("Settings")
回答1:
SOLUTION
This issue was caused by not explicitly setting the SameSiteMode
in code behind when creating a new cookie.
If Response.Cookies("Settings") IsNot Nothing Then
Dim cookie As HttpCookie = Request.Cookies("Settings")
cookie("Setting01") = ddl.SelectedValue
cookie.Expires = Date.Now.AddDays(365)
cookie.SameSite = SameSiteMode.Lax
Response.Cookies.Add(cookie)
End If
Additionally setting SameSiteMode.None
will not work. Presemuably to enforce that this cookie originated from the samesite.
BUT WHY?
I still don't fully understand why this is the case because if you set in web.config
<httpCookies httpOnlyCookies="true" sameSite="Lax" requireSSL="true" />
Then your newly created cookies are flagged as Lax in the Chrome and changing this setting is reflected like below:
However if you now try to read that cookie from code behind it's value will be erased. This is not the case is you exclusively set it in code behind.
I am not sure what makes the cookie different and is more likely an issue with the way .NET is handling this.
Any additional intel on this answer would be intriguing.
回答2:
As of Aug. 11, 2020, Chromium is now targeting 100% of users with SameSite cookie changes. (source: https://www.chromium.org/updates/same-site)
SameSite cookies FAQ: https://www.chromium.org/updates/same-site/faq
来源:https://stackoverflow.com/questions/63395986/asp-net-request-cookies-no-longer-working-in-chrome-v80