ComponentSpace

Forums



Ramifications of setting httpCookies sameSite in web.config


Ramifications of setting httpCookies sameSite in web.config

Author
Message
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
The Microsoft article Work with SameSite cookies in ASP.NET describes the SameSite cookie support added to ASP.NET 4.7.2 and 4.8.

By default, no SameSite mode is specified and the Secure flag is false.

This can be overridden using the <httpCookies> setting in the <system.web> section of web.config.

For example, the following configuration defaults all cookie to SameSite=Lax and Secure.


<httpCookies sameSite="Lax" requireSSL="true" />



The SAML_SessionID cookie must include SameSite=None and Secure.

ASP.NET 4.8
If targeting ASP.NET 4.8, there are no issues associated with the SAML_SessionID cookie and the <httpCookies> setting.

Regardless of the <httpCookies> setting, the SAML_SessionID cookie will include SameSite=None and Secure.

Prior to ASP.NET 4.8
If the <httpCookies> setting isn't specified, there are no issues associated with the SAML_SessionID cookie. It will include SameSite=None and Secure.

If <httpCookies sameSite="None"> is specified, there are no issues associated with the SAML_SessionID cookie.

However, if <httpCookies sameSite="Lax"> or <httpCookies sameSite="Strict"> is specified, the following must be added to web.config to ensure the default cookie settings are not used for the SAML_SessionId cookie.


<system.webServer>
  <rewrite>
    <outboundRules>
      <rule name="Set SAML session cookie flags">
        <match serverVariable="RESPONSE_Set_Cookie" pattern="SAML_SessionId=[^;\s]*" />
        <action type="Rewrite" value="{R:0}; Path=/; Secure; HttpOnly; SameSite=None" />
      </rule>
    </outboundRules>
  </rewrite>
</system.webServer>






Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search