Setting the AspNetAntiForgeryOptions.SameSiteAttributeValue causes undefined behavior

Fixed in

EPiServer.CMS.Core 11.15.0

Created

Feb 11, 2020

Updated

Mar 23, 2020

Area

CMS Core

State

Closed, Fixed and tested


Description

Steps to reproduce

  1. Make sure latest the Microsoft patch is installed (kb4533094).
  2. Add the following code:

     context.Services.Configure<AspNetAntiForgeryOptions>(options =>
                {
                    options.EnableSameOriginCheck = true;
                    options.SameSiteAttributeValue = SameSiteType.Strict;
                });
    

  3. Enable the default cookie policy in the web.config file.

    <httpCookies sameSite="None" />
    

  4. Go to login page in new browser (without any cookies)

Expected:
SameSite is set to Strict (no duplicates)

Actual:
SameSite appears twice
__epiXSRF=TiWREKhLeuFRJ+ZqgM6H0egChaVor+uqoPWuYm2+MBk=; path=/; SameSite=Strict; HttpOnly; SameSite=None