how SameSite attribute added to my Asp.net_SessionID cookie automatically?
Add these options to web.config for sameSite=None , Lax or Strict
<system.web>
<httpCookies sameSite="None"/>
<sessionState cookieSameSite="None" />
<authentication mode="Forms">
<forms cookieSameSite="None" />
</authentication>
CookieSameSite attribute is not available for many older frameworks. If you're in the situation where the accepted answer is not supported in your environment, read on!
I modified upon several SO answers to come up with this URL rewrite that adds SameSite=None to session cookies, and also remove SameSite=None from all cookies for most incompatible browsers. The aim of this rewrite is to preserve the "legacy" behaviour pre-Chrome 80.
Full write-up in my Coder Frontline blog:
<rewrite>
<outboundRules>
<preConditions>
<!-- Checks User Agent to identify browsers incompatible with SameSite=None -->
<preCondition name="IncompatibleWithSameSiteNone" logicalGrouping="MatchAny">
<add input="{HTTP_USER_AGENT}" pattern="(CPU iPhone OS 12)|(iPad; CPU OS 12)" />
<add input="{HTTP_USER_AGENT}" pattern="(Chrome/5)|(Chrome/6)" />
<add input="{HTTP_USER_AGENT}" pattern="( OS X 10_14).*(Version/).*((Safari)|(KHTML, like Gecko)$)" />
</preCondition>
</preConditions>
<!-- Adds or changes SameSite to None for the session cookie -->
<!-- Note that secure header is also required by Chrome and should not be added here -->
<rule name="SessionCookieAddNoneHeader">
<match serverVariable="RESPONSE_Set-Cookie" pattern="(.*ASP.NET_SessionId.*)" />
<!-- Use this regex if your OS/framework/app adds SameSite=Lax automatically to the end of the cookie -->
<!-- <match serverVariable="RESPONSE_Set-Cookie" pattern="((.*)(ASP.NET_SessionId)(=.*))(?=SameSite)" /> -->
<action type="Rewrite" value="{R:1}; SameSite=None" />
</rule>
<!-- Removes SameSite=None header from all cookies, for most incompatible browsers -->
<rule name="CookieRemoveSameSiteNone" preCondition="IncompatibleWithSameSiteNone">
<match serverVariable="RESPONSE_Set-Cookie" pattern="(.*)(SameSite=None)" />
<action type="Rewrite" value="{R:1}" />
</rule>
</outboundRules>
</rewrite>
This should work for most ASP .Net and ASP .Net Core applications, although newer Frameworks have proper code and config options to let you control this behaviour. I would recommend researching all the options available to you before using my rewrite above.
I can't use rewrite, because UrlRewrite not installed on all my customers servers.
Finally i add cookieSameSite to my web.config:
<sessionState mode="StateServer" cookieSameSite="None" sqlConnectionString="data source=(local);user id=sa;password=" cookieless="false" timeout="20" />Last update: zemien's answer is more comprehensive and complete than mine. because it sets cookie based on user agent.
My Answer:
You can replace SameSite=Lax with SameSite=None for ASP.NET_SessionId in web.config following way:
<rewrite>
<outboundRules>
<rule name="AddSameSiteCookieFlag">
<match serverVariable="RESPONSE_Set-Cookie" pattern="((.*)(ASP.NET_SessionId)(=.*))(SameSite=Lax)" />
<action type="Rewrite" value="{R:1};SameSite=None" />
</rule>
</outboundRules>
</rewrite>
Update: To prevent IOS problem, replace
<action type="Rewrite" value="{R:1};SameSite=None" />
with
<action type="Rewrite" value="{R:1};" />
@zemien your solution correctly solved our google chrome issues
We have an integration where our application is embedded in an iframe on a third party. Chrome version 80 released Feb 4 2020 prevented cookies from loading.
However I had to modify the pattern to capture all cookies, add the Secure flag, and condition to not apply the rewrite on localhost for our local non https environment
<rule name="SessionCookieAddNoneHeader">
<match serverVariable="RESPONSE_Set-Cookie" pattern="(.*)(SameSite=.*)?" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
<add input="{HTTP_HOST}" pattern="localhost" negate="true" />
</conditions>
<action type="Rewrite" value="{R:1}; SameSite=None; Secure" />
</rule>