Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

SameSite still omitted when set to SameSiteMode.None, with patched .net core 2.1

See original GitHub issue

Describe the bug

When creating a cookie it still doesn’t seem possible to have SameSite=None set even though this was supposed to be sorted in the 2.1.14 patch last year (i’ve also tried installing 2.1.15) - see issue #12125 and #13746. I originally observed this when testing out our IdentityServer4 app which uses OIDC, when we send users to an external Identity Provider an “.AspNetCore.Correlation.<something>” cookie is set without the specified SameSite even though I believed I had set this all up fine. I spent a while figuring out what I had configured incorrectly until I boiled it down into the example I’ve included below and realised that something outside my control may be going wrong.

I would be delighted to find out I’m wrong and that there’s a simple fix that doesn’t involve manually hacking Path as "/; SameSite=None"; because that’s where I’m currently leaning …

To Reproduce

Create a simple console application:

$ dotnet new console -f netcoreapp2.1 -n samesite.test
The template "Console Application" was created successfully.

Processing post-creation actions...
Running 'dotnet restore' on samesite.test\samesite.test.csproj...
  Restore completed in 254.28 ms for C:\Users\sean.mclemon\source\one-off\samesite.test\samesite.test.csproj.

Restore succeeded.

… then open up Program.cs and set it to the following

using Microsoft.Net.Http.Headers;
using System;

namespace samesite.test
{
    class Program
    {
        static void Main(string[] args)
        {
            var cookie = new SetCookieHeaderValue("some-key", "some-value")
            {
                Domain = "example.com",
                Path = "/path",
                Expires = DateTimeOffset.UtcNow.AddDays(1),
                MaxAge = TimeSpan.FromDays(1),
                Secure = true,
                SameSite = SameSiteMode.None,
                HttpOnly = true
            };

            Console.WriteLine(cookie.ToString());
        }
    }
}

next cd to the dir, add the Microsoft.AspNetCore.Http package, build and run

$ cd samesite.test

$ dotnet add package Microsoft.AspNetCore.Http --version 2.2.2
  Writing C:\Temp\sean.mclemon\tmpEEC1.tmp
info : Adding PackageReference for package 'Microsoft.AspNetCore.Http' into project 'C:\Users\sean.mclemon\source\one-off\samesite.test\samesite.test.csproj'.
info : Restoring packages for C:\Users\sean.mclemon\source\one-off\samesite.test\samesite.test.csproj...
info : Package 'Microsoft.AspNetCore.Http' is compatible with all the specified frameworks in project 'C:\Users\sean.mclemon\source\one-off\samesite.test\samesite.test.csproj'.
info : PackageReference for package 'Microsoft.AspNetCore.Http' version '2.2.2' added to file 'C:\Users\sean.mclemon\source\one-off\samesite.test\samesite.test.csproj'.
info : Committing restore...
info : Writing assets file to disk. Path: C:\Users\sean.mclemon\source\one-off\samesite.test\obj\project.assets.json
log  : Restore completed in 742.35 ms for C:\Users\sean.mclemon\source\one-off\samesite.test\samesite.test.csproj.

$ dotnet build
Microsoft (R) Build Engine version 16.4.0+e901037fe for .NET Core
Copyright (C) Microsoft Corporation. All rights reserved.

  Restore completed in 37.94 ms for C:\Users\sean.mclemon\source\one-off\samesite.test\samesite.test.csproj.
  samesite.test -> C:\Users\sean.mclemon\source\one-off\samesite.test\bin\Debug\netcoreapp2.1\samesite.test.dll

Build succeeded.
    0 Warning(s)
    0 Error(s)

Time Elapsed 00:00:02.35

$ dotnet run
some-key=some-value; expires=Wed, 05 Feb 2020 14:45:39 GMT; max-age=86400; domain=example.com; path=/path; secure; httponly

Notice that there’s no “SameSite” there. If we used SameSiteMode.Lax or SameSiteMode.Strict then we would see it.

Further technical details

$ dotnet --info
.NET Core SDK (reflecting any global.json):
 Version:   3.1.100
 Commit:    cd82f021f4

Runtime Environment:
 OS Name:     Windows
 OS Version:  10.0.18363
 OS Platform: Windows
 RID:         win10-x64
 Base Path:   C:\Program Files\dotnet\sdk\3.1.100\

Host (useful for support):
  Version: 3.1.0
  Commit:  65f04fb6db

.NET Core SDKs installed:
  1.1.14 [C:\Program Files\dotnet\sdk]
  2.1.803 [C:\Program Files\dotnet\sdk]
  3.0.100 [C:\Program Files\dotnet\sdk]
  3.1.100 [C:\Program Files\dotnet\sdk]

.NET Core runtimes installed:
  Microsoft.AspNetCore.All 2.1.14 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.All 2.1.15 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.App 2.1.14 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 2.1.15 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 3.0.0 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 3.1.0 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 1.0.16 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 1.1.13 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 2.1.14 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 2.1.15 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 3.0.0 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 3.1.0 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.WindowsDesktop.App 3.0.0 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 3.1.0 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]

To install additional .NET Core runtimes or SDKs:
  https://aka.ms/dotnet-download

Issue Analytics

State:
Created 4 years ago
Comments:10 (7 by maintainers)

Top GitHub Comments

1reaction

blowdartcommented, Feb 4, 2020

Are you targetting .NET Framework as your runtime? If so you need to specifically add two dependencies;

<PackageReference Include="Microsoft.Net.Http.Headers" Version="2.1.14" />
<PackageReference Include="Microsoft.AspNetCore.CookiePolicy" Version="2.1.14" />

You also need to configure middlewares to use the SecurePolicy you wish; for example

services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
    .AddCookie(options =>
    {
        options.Cookie.SameSite = SameSiteMode.None;
        options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
        options.Cookie.IsEssential = true;
    });

This is documented.

Finally if you want (and you should want) to intercept cookies and remove the none value for browsers that don’t support it then you need to use CookiePolicy as detailed in the docs.

0reactions

blowdartcommented, Feb 4, 2020

It wasn’t a non-issue, it’s good to get to the bottom of these things.

Top Results From Across the Web

Work with SameSite cookies in ASP.NET Core

Redefines the behavior of SameSiteMode.None to emit SameSite=None · Adds a new value SameSiteMode.Unspecified to omit the SameSite attribute.

SameSite Cookie attribute ommited by ASP.NET Core

However when I examine server response headers (where server is supposed to set the cookie with SameSite=None) I can see SameSite is omitted....

Beware of SameSite cookie policy in ASP.NET Core and ...

I have recently stumbled across a bug in iOS 12 preview which sort of breaks existing sites which make use of OpenID Connect...

How To Prepare Your IdentityServer For Chrome's ...

This adds and configures a cookie policy in ASP.NET Core web application. This policy will check if a cookie with SameSite=None should be...

Untitled

NET Core framework has been updated to support both the new SameSite value None ... -csrf-in-asp-net-core/ SameSite still omitted when set to SameSiteMode....