-
Notifications
You must be signed in to change notification settings - Fork 10.3k
SameSite still omitted when set to SameSiteMode.None, with patched .net core 2.1 #18779
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
<PackageReference Include="Microsoft.Net.Http.Headers" Version="2.1.14" />
<PackageReference Include="Microsoft.AspNetCore.CookiePolicy" Version="2.1.14" />
services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
.AddCookie(options =>
{
options.Cookie.SameSite = SameSiteMode.None;
options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
options.Cookie.IsEssential = true;
});
|
No I'm not targetting .NET Framework, I have configured middleware as per the documentation and I have a solution in place to strip out None for the some of the browsers which don't support it similar to that described in the docs. I really appreciate the suggestions but in this issue I've got a little self-contained example that I think indicates |
An example would be great |
Please see the "To Reproduce" of the original comment, it's all there |
Oh wait, that's it? What version of core 2.1 do you have installed? (Also @Tratcher) |
Oh wait, you're going through SetCookieHeaderValue? Why a console app, rather than a web app? The web app approach works in my demos.
|
Why did you add version 2.2.2 to a 2.1 project? I replaced that step with this one and now it's working:
Needing this direct dependency is expected when you're working only with packages. Normally that would only apply to .NET Framework apps, but in your repro it also applies because you're not referencing the ASP.NET Core shared runtime (Microsoft.AspNetCore.App) that contains the patch. |
Ahhh I installed that library in my little example as I (mistakenly) believed that was the necessary package required to access SetCookieHeaderValue and experiment with the problem. OK so this suggests to me I'll need to dig through my dependencies in the original app that prompted me to create this and see if I can find anything funny. Thanks heaps, this can be closed. My apologies for raising a non-issue! |
It wasn't a non-issue, it's good to get to the bottom of these things. |
Describe the bug
When creating a cookie it still doesn't seem possible to have
SameSite=None
set even though this was supposed to be sorted in the 2.1.14 patch last year (i've also tried installing 2.1.15) - see issue #12125 and #13746. I originally observed this when testing out our IdentityServer4 app which uses OIDC, when we send users to an external Identity Provider an ".AspNetCore.Correlation." cookie is set without the specified SameSite even though I believed I had set this all up fine. I spent a while figuring out what I had configured incorrectly until I boiled it down into the example I've included below and realised that something outside my control may be going wrong.I would be delighted to find out I'm wrong and that there's a simple fix that doesn't involve manually hacking Path as
"/; SameSite=None";
because that's where I'm currently leaning ...To Reproduce
Create a simple console application:
... then open up
Program.cs
and set it to the followingnext
cd
to the dir, add theMicrosoft.AspNetCore.Http
package, build and runNotice that there's no "SameSite" there. If we used
SameSiteMode.Lax
orSameSiteMode.Strict
then we would see it.Further technical details
The text was updated successfully, but these errors were encountered: