Recently samesite=lax add automatically to my session cookie!
this attribute just add to sessionID:
"Set-Cookie ASP.NET_SessionId=zana3mklplqwewhwvika2125; path=/; HttpOnly; **SameSite=Lax**"
My website hosted on IIS 8.5, Windows 2012 R2, and dont have WAF or UrlRewrite and I turn off AntiVirus (kasper).
but yet have same problem on some customer servers.
any idea?
EDITED: I Find this: https://support.microsoft.com/en-us/help/4524419/kb4524419
ASP.NET will now emit a SameSite cookie header when HttpCookie.SameSite value is 'None' to accommodate upcoming changes to SameSite cookie handling in Chrome. As part of this change, FormsAuth and SessionState cookies will also be issued with SameSite = 'Lax' instead of the previous default of 'None', though these values can be overridden in web.config.
How can i overridde samesite cookies for SessionState in web.config?
i add this line, but it not work on SessionID cookie!
<httpCookies sameSite="Unspecified" />
EDITED: I find this: https://docs.microsoft.com/en-us/dotnet/api/system.web.configuration.sessionstatesection.cookiesamesite?view=netframework-4.8#System_Web_Configuration_SessionStateSection_CookieSameSite
Set samesite for stateserver by "cookieSameSite" attribute of SessionState tag.
Add these options to web.config for sameSite=None , Lax or Strict
<system.web>
<httpCookies sameSite="None"/>
<sessionState cookieSameSite="None" />
<authentication mode="Forms">
<forms cookieSameSite="None" />
</authentication>