A cookie associated with a cross-site resource at “URL” was set without the `SameSite` attribute
Question
In Google Chrome console I am getting this warning "A cookie associated with a cross-site resource at "URL" was set without the SameSite attribute". It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with SameSite=None and Secure . I verified the same under Application>Storage>Cookies their I found Same Site was "blank/Empty" and I want to update that into "None".
Tried some of the ways mentioned by other developers but nothing seems to be working for me.
Implementation 1: Updated my web.config with below mentioned code
<sessionState cookieSameSite="None" />
<httpCookies httpOnlyCookies="true" requireSSL="true" />
// sameSite="None" is not coming for me under httpCookies section and giving me a error message sameSite attribute is not allowed
Implementation 2: Modifed class file code where I am creating that Cookie
HttpCookie sessionCookie = new HttpCookie("Token");
sessionCookie.Value = sessionToken;
sessionCookie.HttpOnly = true;
sessionCookie.SameSite = SameSiteMode.None;
sessionCookie.Secure = FormsAuthentication.RequireSSL && Request.IsSecureConnection;
sessionCookie.Domain = Request.Url.Host;
Response.Cookies.Add(sessionCookie);
Implementation 3: Created a seperate MVC filter to Handle this
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
var response = filterContext.RequestContext.HttpContext.Response;
if (response != null)
{
response.AddHeader("Set-Cookie", "HttpOnly;Secure;SameSite=None");
}
base.OnActionExecuting(filterContext);
}
Implementation 4:
<rewrite>
<outboundRules>
<rule name="Add SameSite" preCondition="No SameSite">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; SameSite=None" />
<conditions>
</conditions>
</rule>
<preConditions>
<preCondition name="No SameSite">
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=" negate="true" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
Target .net Framework 4.7.2
Is there anything I need to do in my local machine or server or anyway by which I can remove this warning message.
2 answers
solution1
1 ACCPTED 2020-04-03 06:41:04
From the OWASP cheatsheet for setting same site cookies to mitigate CSRF, when setting the same site attribute to none we have to set the secure flag on the cookie as well. This can be done by referring to this question adding httponly and secure flag for set cookie in java web application
All desktop browsers and almost all mobile browsers now support the SameSite attribute. To keep track of the browsers implementing it and the usage of the attribute, refer to the following service. Note that Chrome has announced that they will mark cookies as SameSite=Lax by default from Chrome 80 (due in February 2020), and Firefox and Edge are both planning to follow suit. Additionally, the Secure flag will be required for cookies that are marked as SameSite=None.
solution2
1 2020-07-02 11:47:39
Works for me
<configuration>
<system.web>
<httpCookies sameSite="None" requireSSL="true" />
</system.web>
</configuration>
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.