ASP.NET automatically sets SameSite cookie header, so Forms cannot update some cookies in a new browser

Found in

EPiServer.Forms 4.26.0

Fixed in

EPiServer.Forms 4.29.0

Created

Feb 27, 2020

Updated

May 11, 2020

State

Closed, Fixed and tested


Description

ASP.NET automatically sets the SameSite=None attribute for a cookie sent from a client (generated HttpCookie instances). Forms updates the cookie instance and sends it back to client.

However, with browsers that support the cookie's SameSite attribute (2019 draft), if we have cookie with the SameSite=None and the attribute Secure is not set (the connection also has to be secure if Secure is set - with proper SSL certificate), the cookie is rejected (not updated) in browser.

Prerequisites
  • IIS server runs on .NET Framework 4.7.2 or later.
  • Google Chrome version 80 or later.
  • Enable the #same-site-by-default-cookies and #cookies-without-same-site-must-be-secure features in chrome://flags
Steps to Reproduce
  1. Create a multi-step form (2 steps should be sufficient) and add it a page.
  2. Visit the page.
  3. Open DevTools to monitor requests (in Network tab) and cookies (in Application tab).
  4. Delete all cookies with format EPiForm_<Form_GUID>_<.EPiForm_VisitorIdentifier> (e.g. EPiForm_3371b7db-7c19-4154-8dd2-491bb0047f9c_02178fb9-4d0f-48b4-b681-1860f6c0b926:cmsadmin).
  5. Submit the first form step.
  6. A new request is sent and its response headers should have a header like Set-Cookie: EPiForm_337...b926:cmsadmin={"formGuid":"3371...d403867","isFinalized":false}; path=/; HttpOnly and this cookie should be added.
  7. Submit the final step.
  8. The Set-Cookie header will have a new attribute SameSite=None. The cookie's new value (e.g. "isFinalized":true) is not updated.
  9. (Optional) Submit any in-between steps. The Set-Cookie header will also have a new attribute SameSite=None.
Expected

All Set-Cookie headers for EPiForm_<Form_GUID><.EPiForm_VisitorIdentifier> should _not have SameSite=None, and the cookie is updated.

Actual

All Set-Cookie headers after the first submit request have SameSite=None attribute, and the cookie is not updated.