CBRon
|
|
Group: Forum Members
Posts: 7,
Visits: 41
|
+x+xMy test server is Windows Server 2008 R2. It has the latest .Net Framework installed (4.8). We are using ComponentSpace 2.8.50. I added this line to web.config <sessionState cookieSameSite="None" /> I already had this line <httpCookies httpOnlyCookies="true" requireSSL="true"/> Now I get the error Parser Error Message: Unrecognized attribute 'cookieSameSite'. Note that attribute names are case-sensitive. What is wrong? Our testing was on Windows Server 2012. We haven't tested on 2008 but as far as I can tell as long as you have .NET framework v4.8 installed on the web server it should work. Just to confirm, the <sessionState> element is in your <system.web> section? If you remove the cookieSameSite="None" do you still get a parser error? Yes, the <sessionState> element is present. And I do not get the parser error if I remove the cookieSameSite="None" attribute. One other potential issue - this is a legacy app that is using the .Net framework 2.0 (actually 3.5). Could that be an issue? I also had another idea. What if I add the SameSite attribute to the Response cookie using an URL Rewrite outbound rule? Would that work?
|
|
|
csnyder
|
|
Group: Awaiting Activation
Posts: 3,
Visits: 12
|
I have an ASP.NET application targeting 4.5 using the SAML library v2.x so I followed the process of installing v4.8 Framework and changing the web.config, but so far I'm not seeing SameSite=none in the set cookie:
aspxauth=... path=/; HttpOnly
Is there any trick to upgrading the ASP.NET app pool? From what I'm reading it should take the updated framework. I even verified the registry to make sure the correct .Net framework version is installed.
|
|
|
ComponentSpace
|
|
ComponentSpace Development
Group: Administrators
Posts: 3.2K,
Visits: 11K
|
We could do this with the custom SAML session cookie but I don't think this is possible with the ASP.NET session cookie. The browser sniffing is an interim solution that hopefully won't be needed in the near future. There is the option to customize the implementation of the cookie setting in the latest product releases if you would prefer the approach you suggested.
Regards ComponentSpace Development
|
|
|
ComponentSpace
|
|
ComponentSpace Development
Group: Administrators
Posts: 3.2K,
Visits: 11K
|
+x+x+xMy test server is Windows Server 2008 R2. It has the latest .Net Framework installed (4.8). We are using ComponentSpace 2.8.50. I added this line to web.config <sessionState cookieSameSite="None" /> I already had this line <httpCookies httpOnlyCookies="true" requireSSL="true"/> Now I get the error Parser Error Message: Unrecognized attribute 'cookieSameSite'. Note that attribute names are case-sensitive. What is wrong? Our testing was on Windows Server 2012. We haven't tested on 2008 but as far as I can tell as long as you have .NET framework v4.8 installed on the web server it should work. Just to confirm, the <sessionState> element is in your <system.web> section? If you remove the cookieSameSite="None" do you still get a parser error? Yes, the <sessionState> element is present. And I do not get the parser error if I remove the cookieSameSite="None" attribute. One other potential issue - this is a legacy app that is using the .Net framework 2.0 (actually 3.5). Could that be an issue? I also had another idea. What if I add the SameSite attribute to the Response cookie using an URL Rewrite outbound rule? Would that work? I haven't tried it but it's worth taking a look if you like. As long as you see the Secure and SameSite=None in the set-cookie header, that's all that's required. Just to confirm, you have .NET framework v4.8 installed on the web server?
Regards ComponentSpace Development
|
|
|
ComponentSpace
|
|
ComponentSpace Development
Group: Administrators
Posts: 3.2K,
Visits: 11K
|
+xI have an ASP.NET application targeting 4.5 using the SAML library v2.x so I followed the process of installing v4.8 Framework and changing the web.config, but so far I'm not seeing SameSite=none in the set cookie: aspxauth=... path=/; HttpOnly Is there any trick to upgrading the ASP.NET app pool? From what I'm reading it should take the updated framework. I even verified the registry to make sure the correct .Net framework version is installed. The aspxauth cookie is the authorization cookie rather than the session cookie. You should be looking for a cookie whose name is ASP.NET_SessionId, unless you've changed the default name for this cookie. The following post shows where I changed the cookie name to My.ASP.NET_SessionId just to make this clearer. However, using the default name of ASP.NET_SessionId is perfectly fine. https://www.componentspace.com/Forums/10552/Chrome-SameSite-Cookie-Change
Regards ComponentSpace Development
|
|
|
Karlo Abela
|
|
Group: Forum Members
Posts: 5,
Visits: 26
|
+xI have an ASP.NET application targeting 4.5 using the SAML library v2.x so I followed the process of installing v4.8 Framework and changing the web.config, but so far I'm not seeing SameSite=none in the set cookie: aspxauth=... path=/; HttpOnly Is there any trick to upgrading the ASP.NET app pool? From what I'm reading it should take the updated framework. I even verified the registry to make sure the correct .Net framework version is installed. We also encountering this issue. Our web project is 4.5.1 and were using SAMLv 2.6. We updated the web.config and installed .NET Framework 4.8 runtime in the web server. Were getting this result: refCode=0; path=/; secure; HttpOnly Cheers,
|
|
|
ComponentSpace
|
|
ComponentSpace Development
Group: Administrators
Posts: 3.2K,
Visits: 11K
|
Just to confirm, this is the ASP.NET_SessionId cookie?
Could you include the full set-cookie header?
Regards ComponentSpace Development
|
|
|
CBRon
|
|
Group: Forum Members
Posts: 7,
Visits: 41
|
+x+x+x+xMy test server is Windows Server 2008 R2. It has the latest .Net Framework installed (4.8). We are using ComponentSpace 2.8.50. I added this line to web.config <sessionState cookieSameSite="None" /> I already had this line <httpCookies httpOnlyCookies="true" requireSSL="true"/> Now I get the error Parser Error Message: Unrecognized attribute 'cookieSameSite'. Note that attribute names are case-sensitive. What is wrong? Our testing was on Windows Server 2012. We haven't tested on 2008 but as far as I can tell as long as you have .NET framework v4.8 installed on the web server it should work. Just to confirm, the <sessionState> element is in your <system.web> section? If you remove the cookieSameSite="None" do you still get a parser error? Yes, the <sessionState> element is present. And I do not get the parser error if I remove the cookieSameSite="None" attribute. One other potential issue - this is a legacy app that is using the .Net framework 2.0 (actually 3.5). Could that be an issue? I also had another idea. What if I add the SameSite attribute to the Response cookie using an URL Rewrite outbound rule? Would that work? I haven't tried it but it's worth taking a look if you like. As long as you see the Secure and SameSite=None in the set-cookie header, that's all that's required. Just to confirm, you have .NET framework v4.8 installed on the web server? Yes, I have .NET Framework 4.8 installed on the server.
|
|
|
csnyder
|
|
Group: Awaiting Activation
Posts: 3,
Visits: 12
|
+xJust to confirm, this is the ASP.NET_SessionId cookie? Could you include the full set-cookie header? The set cookie header on our server is returning: Server: Microsoft-IIS/8.5 Set-Cookie: .ASPXAUTH=130960F2BE1F38E1E090B5E8BBC91A7EA504A591A8386023108C02D7D51508376319FB993A3C0B4F9495E75E2A7BDE312747813D5519E3BA71D6677751E6A015692442F5DC7EA22513556232EB4F380FA9C3F6036E6B3A36F64DF7D9C325E99D20ADC37630E284A68840F4ED6774; path=/; HttpOnly - X-AspNet-Version: 4.0.30319
- X-AspNetMvc-Version: 5.2
- X-Powered-By: ASP.NET
|
|
|
ComponentSpace
|
|
ComponentSpace Development
Group: Administrators
Posts: 3.2K,
Visits: 11K
|
+x+x+x+x+xMy test server is Windows Server 2008 R2. It has the latest .Net Framework installed (4.8). We are using ComponentSpace 2.8.50. I added this line to web.config <sessionState cookieSameSite="None" /> I already had this line <httpCookies httpOnlyCookies="true" requireSSL="true"/> Now I get the error Parser Error Message: Unrecognized attribute 'cookieSameSite'. Note that attribute names are case-sensitive. What is wrong? Our testing was on Windows Server 2012. We haven't tested on 2008 but as far as I can tell as long as you have .NET framework v4.8 installed on the web server it should work. Just to confirm, the <sessionState> element is in your <system.web> section? If you remove the cookieSameSite="None" do you still get a parser error? Yes, the <sessionState> element is present. And I do not get the parser error if I remove the cookieSameSite="None" attribute. One other potential issue - this is a legacy app that is using the .Net framework 2.0 (actually 3.5). Could that be an issue? I also had another idea. What if I add the SameSite attribute to the Response cookie using an URL Rewrite outbound rule? Would that work? I haven't tried it but it's worth taking a look if you like. As long as you see the Secure and SameSite=None in the set-cookie header, that's all that's required. Just to confirm, you have .NET framework v4.8 installed on the web server? Yes, I have .NET Framework 4.8 installed on the server. It might be related to the .NET framework v2.0. Our testing has been on the .NET framework v4.0 and above. You might have to contact Microsoft support for confirmation. The other consideration is that not all SAML flows require the use of SAML state to work. For example, if you're the SP and supporting IdP-initiated SSO flow, no SAML state is required. Therefore no changes would be required to support the Chrome updates. Are you acting as the SP or IdP and are you supporting IdP-initiated or SP-initiated SSO? Are you supporting SAML logout?
Regards ComponentSpace Development
|
|
|