SameSite cookie property lost

Question

[Updated - see comment at end]

Google will be changing the behaviour of its Chrome browser so that cookies will no longer work when hosted in another domain's IFRAME unless the cookies are explicityly set to SameSite = None, and Secure.

To this end, we made this change in our ASP.NET MVC code. We have some logic around when to set this (only for partners that we've agreed to work with), so we have this conditional logic:

if (isSameSiteCookieEnforced)
{
    cookie.SameSite = SameSiteMode.None;
    cookie.Secure = true;
}

We tested this in our DEV, QA, STAGE environments and it works perfectly. In Chrome's developer tools (Application > Cookies), you can inspect the cookies and see that they are all marked as Secure, and have None in the SameSite column.

However, when we rolled this to our PROD environment, we get different results using the same browser: the cookies are marked as Secure, but the SameSite value is empty.

What we checked:

• Load Balancer: we isolated this and navigated direct to a single web server, same result
• Installed .NET frameworks: in all environments, we've installed 4.7.2 and 4.8
• Addressed .NET framework: in all environments, the web.config stipulates 4.7.2
• Code: we retrieved the relevant DLL from PROD and inspected with ILSPY. It contains the above code

Currently at a bit of a loss to explain how the cookies could lose the "SameSite" property. Navigating to chrome://flags and filtering on SameSite we're showing the three settings to be "default", so Chrome shouldn't be affecting anything differently from one environment to another.

Update

Our ASP.NET MVC application uses an IHttpModule and as one of the last steps in the EndRequest method we trace out the cookies. You can clearly see that they are set with SameSite=None and Secure=true. But, when they arrive at the browser, the SameSite property has been stripped.

Answer 1

Found the issue - turned out that we were missing a Windows patch.