how SameSite attribute added to my Asp.net_SessionID cookie automatically?

Sadegh picture Sadegh · Nov 30, 2019 · Viewed 43k times · Source

Recently samesite=lax add automatically to my session cookie! this attribute just add to sessionID: "Set-Cookie ASP.NET_SessionId=zana3mklplqwewhwvika2125; path=/; HttpOnly; **SameSite=Lax**"

My website hosted on IIS 8.5, Windows 2012 R2, and dont have WAF or UrlRewrite and I turn off AntiVirus (kasper).

but yet have same problem on some customer servers.

any idea?

EDITED: I Find this: https://support.microsoft.com/en-us/help/4524419/kb4524419

ASP.NET will now emit a SameSite cookie header when HttpCookie.SameSite value is 'None' to accommodate upcoming changes to SameSite cookie handling in Chrome. As part of this change, FormsAuth and SessionState cookies will also be issued with SameSite = 'Lax' instead of the previous default of 'None', though these values can be overridden in web.config.

How can i overridde samesite cookies for SessionState in web.config? i add this line, but it not work on SessionID cookie! <httpCookies sameSite="Unspecified" />

EDITED: I find this: https://docs.microsoft.com/en-us/dotnet/api/system.web.configuration.sessionstatesection.cookiesamesite?view=netframework-4.8#System_Web_Configuration_SessionStateSection_CookieSameSite

Set samesite for stateserver by "cookieSameSite" attribute of SessionState tag.

Answer

H. J. van der Wijk picture H. J. van der Wijk · Dec 20, 2019

Add these options to web.config for sameSite=None , Lax or Strict

<system.web>
    <httpCookies sameSite="None"/>
    <sessionState cookieSameSite="None" />
    <authentication mode="Forms">
        <forms cookieSameSite="None" />
    </authentication>