Loading...
Area: Episerver Platform
Applies to versions: Not applicable

SameSite cookie attribute issues

Recommendations [hide]

Note: This page will be updated as soon as new troubleshooting information is available.

With version 80, Google Chrome implemented the changes the IETF has proposed for the SameSite cookie attribute. These are:

  • The default setting for cookies without a SameSite attribute changes from SameSite = None to  SameSite = Lax.
  • When using SameSite = None, you must also specify Secure. Otherwise, the cookie is rejected. Secure requires communication over HTTPS.

To comply to these changes, Microsoft ASP.NET emits a SameSite cookie header when HttpCookie.SameSite value is None. As part of this change, FormsAuth and SessionState cookies are also issued with SameSite = Lax instead of the previous default value None.

See Work with SameSite cookies in ASP.NET for documentation on the changes in ASP.NET.

Known issues

PDF preview for secured PDF

A bug in Chrome affects large PDFs with restricted access when SameSite = Lax for forms authentication. See the blog by Linus Ekström: Issues with PDF preview for secured PDF:s in Google Chrome due to .NET security patch

Troubleshooting

The new policy should work for most websites and cookies. Websites that cannot comply with the requirements of Lax have to change the default values. An example of a limitation with Lax is that you cannot iframe the site under another domain and still use cookie-based features such as authentication and session state.

Note: Older browsers might not support SameSite or implement a different behavior on SameSite. 

Configuring SameSite for anti-forgery

Configuring the built-in anti-forgery used in Episerver user interface (requires EPiServer.CMS.Core 11.15):

context.Services.Configure<AspNetAntiForgeryOptions>(options => 
  {  
    options.CookieSameSiteType = SameSiteType.None;
    options.CookieRequireSSL = true;
  });

Configuring SameSite for forms authentication

Configuring forms authentication to using None and HTTPS:

<authentication>
  <forms cookieSameSite="None" requireSSL="true" />
</authentication>

Configuring SameSite for session state

Configuring session state to using None:

<sessionState cookieSameSite="None" cookieless="false" timeout="360">
</sessionState>

Configuring SameSite default values for cookies

Configuring the default for all cookies that do not explicitly use SameSite:

<httpCookies sameSite="None" requireSSL="true" />

Revert behavior of sending SameSite = None to browsers

Revert to the previous behavior of not sending SameSite = None to browsers:

<appSettings>
  <add key="aspnet:SuppressSameSiteNone" value="true" />
</appSettings>

References

Do you find this information helpful? Please log in to provide feedback.

Last updated: Feb 19, 2020

Recommendations [hide]