Some Cookie SameSite defaults changed to None #348
Labels
3.0.0
Announcements related to ASP.NET Core 3.0
Announcement
Breaking change
Documented
The breaking change has been published to the .NET Core docs
Milestone
Some Cookie SameSite defaults changed to None
SameSite is an option for cookies that can help mitigate some CSRF attacks. When this option was initially introduced inconsistent defaults were used across various AspNetCore APIs that has lead to confusing results. In 3.0.0-preview4 we've better aligned these defaults and made the feature opt-in on a per-component basis.
Version introduced
3.0
Old behavior
APIs defaulted to SameSiteMode.Lax.
New behavior
APIs default to SameSiteMode.None.
Reason for change
To make SameSite an opt-in feature.
Recommended action
Each component that emits cookies need to decide if SameSite is appropriate for their scenarios. Review your usage of the affected APIs and reconfigure SameSite as needed.
Category
ASP.NET
Affected APIs
SameSiteMode.Lax
toSameSiteMode.None
.CookieOptions
has changed its default fromSameSiteMode.Lax
toSameSiteMode.None
.SameSiteMode.Lax
toSameSiteMode.None
.Issue metadata
The text was updated successfully, but these errors were encountered: