Skip to content

SameSite.None for cookies is ignored #12125

New issue
New issue
Closed
Closed
SameSite.None for cookies is ignored#12125
Assignees
Tratcher
Labels
area-authIncludes: Authn, Authz, OAuth, OIDC, Bearerbreaking-changeThis issue / pr will introduce a breaking change, when resolved / merged.
Milestone
 
3.1.0-preview1
@kevingosse

Description

@kevingosse
kevingosse
opened on Jul 12, 2019

When setting SameSite to None in a cookie, the value isn't added to the actual cookie:

https://github.com/aspnet/AspNetCore/blob/master/src/Http/Headers/src/SetCookieHeaderValue.cs#L132-L136

This was fine until now because None was the default value used by all web browsers when the property is not set.
Unfortunately, Chrome is changing that, and starting with version 80 the default value will be Lax: https://www.chromestatus.com/feature/5088147346030592

It means that whenever we set SameSite to None in AspNetCore, no value is sent to the browser, and it's going to be interpreted as "Lax" by Chrome.

As a fix, we can either remove the if (SameSite != SameSiteMode.None) check in SetCookieHeaderValue, or add a "SameSiteSet" field to detect when the user wants to let the browser decide of the default value.

Metadata

Metadata

Assignees

Labels

area-authIncludes: Authn, Authz, OAuth, OIDC, Bearerbreaking-changeThis issue / pr will introduce a breaking change, when resolved / merged.

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions