Forums, Documentation & Knowledge Base - ComponentSpace

Application Cookie SameSite None


https://componentspace.com/forums/Topic10816.aspx

By ComponentSpace - 3/30/2020

Browser SameSite Cookie Change
Chrome and other browsers have introduced a change so that a cookie's SameSite mode defaults to Lax.

A separate article explains the ramifications of this change in terms of SAML SSO session state.

SAML Cookie SameSite Mode None

However, the change also may impact the ASP.NET session cookie or custom application cookies.

For example, if acting as the service provider, when the SAML response is received at the assertion consumer service endpoint,
the ASP.NET session cookie won't be sent by the browser. Therefore, the application doesn't have access to it's session state.

To ensure a cookie is sent by the browser during SSO, SameSite=None and the Secure flag must be specified for the cookie.

Configuring SameSite None for the ASP.NET Session Cookie

To specify SameSite=None and the Secure flag for the ASP.NET session cookie:

1. Update the web server to the latest ASP.NET release (ie ASP.NET v4.8 or later) to pick up the runtime support for SameSite.

Note that the application may continue to target an earlier version of the .NET framework. For example, your application's project may continue to target .NET framework v4.0 but you need to update the web server to ASP.NET v4.8.

2. Ensure the web server is up to date and the KB article 4531182 and KB article 4524421 updates have been applied. This is also available through KB article 4535104.

Without the updates, the None value does not emit the SameSite cookie header.

For more information, refer to:

https://docs.microsoft.com/en-us/dotnet/api/system.web.configuration.sessionstatesection?view=netframework-4.8

https://docs.microsoft.com/en-us/dotnet/api/system.web.samesitemode?view=netframework-4.8

3. Update the <system.web> section in the application's web.config to specify the following.


<sessionState cookieSameSite="None" />
<httpCookies requireSSL="true"/>



4. Confirm that SameSite is working as described in the section below.

Without these changes, the SameSite parameter is missing or set to either Lax or Strict.


set-cookie: ASP.NET_SessionId=dwhtw4ajbxblp5pw5arwf0ww; path=/; HttpOnly



After these changes, the SameSite parameter is included.


set-cookie: ASP.NET_SessionId=2s2wesefh0cohv0ugctun4hl; path=/; secure; HttpOnly; SameSite=None



Note though that if the ASP.NET update hasn’t been installed on the web server, the unrecognized cookie SameSite attribute will result in an “Unrecognized attribute” configuration error at runtime.

Older Browser Support
Some older browsers are incompatible with the SameSite mode of None.

In particular, older releases of Safari, prior to OSX Catalina or iOS 13, will fail if presented with a SameSite mode of None.

It's recommended that users upgrade to the latest OSX or iOS release.

If this isn't possible, refer to the HTTP Module below.

There are no known compatibility issues with recent versions of Chrome, Firefox or Edge.

https://www.chromium.org/updates/same-site/incompatible-clients

HTTP Module
The <sessionState cookieSameSite="None" /> and <httpCookies requireSSL="true"/> settings in web.config set the SameSite=None and Secure cookie attributes of the ASP.NET session cookie but don't take into account incompatible browsers.

The SameSiteNone HTTP Module is an alternative approach that sets the SameSite=None and Secure cookie attributes if the browser is compatible and clears the SameSite attribute if the browser is incompatible.

It requires .NET framework v4.8 or later to be installed on the web server.

The web application does not have to target .NET framework v4.8 or later.

The HTTP module, including full source code, is available for download at:

SameSite None HTTP Module

The following steps should be taken:

1. Copy the HTTP Module DLL to the application's bin folder.

2. To enable the HTTP module, update the application's web.config as follows.


<system.webServer>
  <modules>
    <add name="SameSiteNoneHttpModule" type="ComponentSpace.SameSiteNoneHttpModule"/>
  </modules>
</system.webServer>



By default the HTTP module monitors the ASP.NET_SessionId cookie and updates it, if required.

The SameSiteNoneCookies app setting in the application's web.config may specify a comma-separated list of cookies to monitor.


<appSettings>
  <add key="SameSiteNoneCookies" value="ASP.NET_SessionId, some-other-cookie"/>
</appSettings>



Recommendations
1. Confirm whether there is an issue with the ASP.NET session cookie not being sent by the browser and only apply the updates if required.

2. Make the web.config changes described above to enable the ASP.NET support.

3. If incompatible browsers are to be supported, include the HTTP module as described above.

4. Retest to ensure the application works as intended.