The SameSite cookie option is used by the browsers to determine whether to attach or remove the cookie for a request.
Now go to the home page of our 'http://mythirdparty.com/', here we link our "http://mycookieapp.com/"(Home page), on clicking it will successfully load the "http://mycookieapp.com/"(Home page) because the cookie will be added to the request since the cookie option is 'samesite=lax'.
So to understand all the options of SameSite cookie, here we are going to check different scenarios with the help of 2 different domains like "http://mycookieapp.com/" and 'http://mythirdparty.com/'.
The "http://mycookieapp.com/" is a dotnet5 MVC application where have login cookie authentication enabled, so here we will check the SameSite option for my login cookie(SameSite option applied to any kind of cookie, here I'm just using the login cookie for my testing). So here I enable the 'Authorization' attribute on my index page, so only authenticated users can access it. The 'http://mythirdparty.com/' is a normal dotnet5 MVC application where we consume the "http://mycookieapp.com/" website as a link or iframe.
AspNet Core Cookie SameSite Options:
The following are the cookie SameSite options:
- Strict
- Lax
- None
- Unspecified
Strict:
The 'Strict' mode cookies are only attached to the request when we directly access the website on the browser or navigating within the website. The 'Strict' mode cookie won't attach cookies for navigating from third-party websites or third-party websites configure our site in Iframe.
In the "http://mycookieapp.com/" project let's add the cookie SameSite option as 'Strict'.
Startup.cs:
services.ConfigureApplicationCookie(options => { options.Cookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.Strict; });Now login to our "http://mycookieapp.com/" and we can see our auth cookie "samesite=none" as below.Now go to the home page of our 'http://mythirdparty.com/', here we link our "http://mycookieapp.com/"(Home page), on clicking it we will redirect to the login page because cookie won't be added by the browser when we click on it from our 'http://mythirdparty.com/' because of cookie option "samesite=none".After clicking the link instead of staying home page, it will redirect to the login page as below.
Now another case like Iframe the "http://mycookieapp.com/" into our 'http://mythirdparty.com/' then also cookie 'samesite=none' won't work in the Iframe instead of landing page we will see the login form.
Lax:
The 'Lax' mode attaches cookie form requests like directly accessing from the browser or navigating within the website or links from the third party website. The 'Lax' mode won't attach cookies when the site loads in Iframe.
In the "http://mycookieapp.com/" project let's add the cookie SameSite option as 'Lax'.
Startup.cs:
services.ConfigureApplicationCookie(options => { options.Cookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.Lax; });Now login to "http://mycookieapp.com/" and observe cookie options 'samesite=lax'.
Now if we try to iframe "http://mycookieapp.com/" into 'http://mythirdparty.com/' then it displays the login page because the cookie won't work. The 'samesite=lax' won't work with iframes.
None:
The 'None' mode will work with all kinds of scenarios. But 'samesite=none' required few additional things like website should 'https' and need to add 'secure' attribute.
In the "https://mycookieapp.com/"(website should be https) project let's add the cookie SameSite option as 'None'.
Startup:
services.ConfigureApplicationCookie(options => { options.Cookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.None; options.Cookie.SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always; });Now login to "http://mycookieapp.com/" and observe cookie options 'samesite=none'.
We know 'samesite=none' works for all scenarios, let's check the iframe case.
Unspecified:
The 'Unspecified' means we don't set any value to the cookie from the server. This is because some old browsers don't understand the 'lax' and 'none' value they only understand 'strict', in that case, we can use unspecified. So it is best to add this mode conditionally by detecting the browsers that won't support it.
Startup.cs:
public void ConfigureServices(IServiceCollection services) { services.ConfigureApplicationCookie(options => { options.Cookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.None; services.Configure<CookiePolicyOptions>(options => { options.OnAppendCookie = cookieContext => CheckSameSite(cookieContext.Context, cookieContext.CookieOptions); options.OnDeleteCookie = cookieContext => CheckSameSite(cookieContext.Context, cookieContext.CookieOptions); }); }); } private void CheckSameSite(HttpContext httpContext, CookieOptions options) { if (options.SameSite == SameSiteMode.None) { var userAgent = httpContext.Request.Headers["User-Agent"].ToString(); if (userAgent == "someoldbroswer") { options.SameSite = SameSiteMode.Unspecified; } } }
- Here you can observe 'Unspecified' mode adding conditionally.
Video Session:
Support Me!
Buy Me A Coffee
PayPal Me
Wrapping Up:
Hopefully, I think this article delivered some useful information on Cookie SameSite Options usage. I love to have your feedback, suggestions, and better techniques in the comment section below.
Comments
Post a Comment