Search code examples
asp.net-corecookiessetcookiesamesite

Samesite cookie flag and ASP 2.1

I'm trying to upgrade my ASP .Net Core 2.1 project so that it will adhere to the new samesite cookie behavior described in https://devblogs.microsoft.com/aspnet/upcoming-samesite-cookie-changes-in-asp-net-and-asp-net-core/

The version of 2.1 I have has the old behavior. I want to bump it to a new version of 2.1 where the following code will actually put "samesite=none" on the wire in the set-cookie header rather than leaving out the samesite text altogether (which is the old behavior)

 //options is of type SessionOptions
    options.Cookie.SameSite = SameSiteMode.None;
    options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest;

I believe the version I want is v2.1.14 at https://dotnet.microsoft.com/download/dotnet-core/2.1 , but when I go into the nuget package manager I don't see an option for v2.1.14. I see below. I chose 2.1.6 because I guess the version of the SDK in 2.1.14 is 2.1.607. Though I'm not sure if that's the right decision

enter image description here

But just adding that lib doesn't seem to make any difference on the samesite behavior. It's still left out. I'm pretty sure the spot in my code I mentioned above is the correct area. The SecurePolicy line is working fine. If I remove it/put it back in, I see the "secure" text in the set-cookie come and go in fiddler traces. It's just the SameSite property that seems to have no effect.

I've bumped the aspnetcore version I grabbed to 2.1.7 and even to 2.2 (though I don't want to go that far yet) but still get the same behavior. It's like it's stuck using an older version of asp .net core.

My project packages look like below I've only upgraded the Microsoft.AspNetCore one in this screen shot. Though in the past I have upgraded a few of the others to no effect. I'm also targeting .net 4.8 enter image description here

Heres my request/response. Note that I don't get the response as a 400 error if I change chrome settings to respect the old samesite behavior. I get a 302 found resposne instead. I'm expecting to see samesite=none on the response from my app in SetCookie.

GET /worksite/authorized?code=e2fqpnolfjtOdEFOWWdDBkDYMKy8wr HTTP/1.1
Host: localhost:44396
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: navigate
Sec-Fetch-Dest: iframe
Referer: https://localhost:44396/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9

-----

HTTP/1.1 400 Bad Request
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Server: Kestrel
Set-Cookie: .AspNetCore.Session=VALIDSESSIONID%; path=/; secure; httponly
Persistent-Auth: true
X-Powered-By: ASP.NET
Date: Wed, 20 Jan 2021 14:19:27 GMT
Content-Length: 0

So my questions are

  1. For the Microsoft.AspNetCore package, what version from Nuget should I be getting?

  2. Do any of those other packages need to be updated to get the samesite behavior I want using

    //options is of type SessionOptions options.Cookie.SameSite = SameSiteMode.None;

  3. Can you think of any reason why I might not be getting samesite=none on the wire.

Solution

  • Since you seem to target .NET Framework in your ASP.NET Core 2.1 application there's a small but important piece missing: you need to update 2 NuGet packages to these version or later (source):

    <PackageReference Include="Microsoft.Net.Http.Headers" Version="2.1.14" />
<PackageReference Include="Microsoft.AspNetCore.CookiePolicy" Version="2.1.14" />