SameSite cookie default value update

Did you needed to put your site with login required into iframe before 2020? Today story of site stopped working with no reason… Let’s begin.

Business Context

In this paragraph will start with short description to give you context. I had requirements from business that we need to redirect most pages to new pages but one part of site should be displayed on new page. Decision was made that we will use iframe tag to display pages from old domain on the new one. Simple task I’ve written emails to other developers and told them link to use in iframe. Done everything is working done. Next task please 🙂

What happened?

Production release done and confirmation was made that everything working just fine. Unfortunately happiness didn’t last for long. Bug from production login page stopped working (oh no why!). First thought maybe something with infrastructure is wrong but after quick check login page in browser everything is working fine. Let’s look at iframe and god it’s not working there 😮 Research need to be done. F12 and network tab opened some weird redirection happening. Check Application tab – Cookies on the site to be precised. On first look everything looks good however two of them are missing in iframe. But wait what is it SameSite have value Lax (of course checking in browser since cookies only appears there).

cookie_lax_value

Checked that with uncle google and first result points to Microsoft release page. So default value changed I need to revert that somehow. Next search done and got answer two values in web.config will do the work.

web.config before changes looked like that:

<configuration>
 <system.web>
   <authentication>
   <forms cookieSameSite="Lax" requireSSL="false" />
  </authentication>
  <sessionState cookieSameSite="Lax" /> <!-- No config attribute for Secure -->
 <system.web>
<configuration>

After changes applied:

<configuration>
 <system.web>
   <authentication>
   <forms cookieSameSite="None" requireSSL="true" />
  </authentication>
  <sessionState cookieSameSite="None" /> <!-- No config attribute for Secure -->
 <system.web>
<configuration>

So after new values applied in developers tools SameSite value now have value None and it’s started again working.

Hope that will help you even a bit 🙂
To the next read!
Lukasz

Dodaj komentarz

Twój adres email nie zostanie opublikowany. Pola, których wypełnienie jest wymagane, są oznaczone symbolem *