I have .NET MVC application loaded in iframe in Microsoft Dynamics page. Initially the user will open the home page. The home controller redirects to the login page:
return RedirectToAction("Index", "Login", new { returnUrl = redirectURL, error = errorMessage });
This was OK before this update KB4533002 Cumulative Update for .NET adding SameSite=Lax when SameSite is None or not specified. Then I added outbound rules in the web config to send SameSite=None; Secure.
<rewrite>
<outboundRules>
<clear />
<rule name="Add SameSite" preCondition="No SameSite">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; SameSite=None" />
</rule>
<rule name="Add Secure" preCondition="No Secure">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; Secure" />
</rule>
<preConditions>
<preCondition name="No SameSite">
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=None" negate="true" />
</preCondition>
<preCondition name="No Secure">
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; Secure" negate="true" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
This works in Chrome, Firefox and the latest Edge.
But Internet Explorer and Edge (not Chromium) are adding additional SameSite:
HttpOnly: true
path:/
SameSite: Lax
SameSite: None
Secure: true
Screenshot from Edge Developer Tools
Anyone with idea how to prevent this?
Thank you Yu Zhou. This was helpful, but instead of Unspecified I set it to None.
<sessionState mode="SQLServer" sqlConnectionString="***" ... cookieless="UseCookies" cookieSameSite="None" />
This with the outbound rules (SameSite=None; Secure) worked for me.