Forums, Documentation & Knowledge Base - ComponentSpace

Ramifications of setting httpCookies sameSite in web.config


https://www.componentspace.com/Forums/Topic10843.aspx

By ComponentSpace - 4/27/2020

The Microsoft article Work with SameSite cookies in ASP.NET describes the SameSite cookie support added to ASP.NET 4.7.2 and 4.8.

By default, no SameSite mode is specified and the Secure flag is false.

This can be overridden using the <httpCookies> setting in the <system.web> section of web.config.

For example, the following configuration defaults all cookie to SameSite=Lax and Secure.


<httpCookies sameSite="Lax" requireSSL="true" />



The SAML_SessionID cookie must include SameSite=None and Secure.

ASP.NET 4.8
If targeting ASP.NET 4.8, there are no issues associated with the SAML_SessionID cookie and the <httpCookies> setting.

Regardless of the <httpCookies> setting, the SAML_SessionID cookie will include SameSite=None and Secure.

Prior to ASP.NET 4.8
If the <httpCookies> setting isn't specified, there are no issues associated with the SAML_SessionID cookie. It will include SameSite=None and Secure.

If <httpCookies sameSite="None"> is specified, there are no issues associated with the SAML_SessionID cookie.

However, if <httpCookies sameSite="Lax"> or <httpCookies sameSite="Strict"> is specified, the following must be added to web.config to ensure the default cookie settings are not used for the SAML_SessionId cookie.


<system.webServer>
  <rewrite>
    <outboundRules>
      <rule name="Set SAML session cookie flags">
        <match serverVariable="RESPONSE_Set_Cookie" pattern="SAML_SessionId=[^;\s]*" />
        <action type="Rewrite" value="{R:0}; Path=/; Secure; HttpOnly; SameSite=None" />
      </rule>
    </outboundRules>
  </rewrite>
</system.webServer>