Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Reacting to browser SameSite changes in 3.1.0-preview1, impacts OpenIdConnect
Browsers like Chrome and Firefox are making breaking changes to their implementations of SameSite for cookies. These changes impact remote authentication scenarios like OpenIdConnect and WsFederation which must now opt out by sending SameSite=None. However, SameSite=None breaks on iOS 12 and some older versions of other browsers. The application will need to sniff these versions and omit SameSite.
For discussion on this issue see aspnet/AspNetCore#14996.
SameSite is a 2016 draft standard extension to HTTP cookies intended to mitigate cross site request forgery (CSRF). This was originally designed as a feature the servers would opt into by adding the new parameters. ASP.NET Core 2.0 added initial support for SameSite.
Google is now pushing a new draft standard that is not backwards compatible. It changes the default mode to Lax and adds a new entry None to opt out. Lax is OK for most application cookies but breaks cross site scenarios like OpenIdConnect and WsFederation login. Most OAuth logins are not affected due to differences in how the request flows. The new None parameter causes compatibility problems with clients that implemented the prior draft standard (e.g. iOS 12). Chrome plans to go live with their changes in Chrome 80 in February 2020.
For other recent changes in this area see the 3.0 announcement where most defaults were changed from Lax to None (but still using the prior standard).
Reason for change
Browser and spec changes as outlined above.
Applications that interact with remote sites such as through 3rd party login will need to test those scenarios on multiple browsers, as well as apply the CookiePolicy browser sniffing mitigation discussed below. See below for testing and browser sniffing instructions.
Supporting older browsers:
In Startup.cs add the following
This switch will be removed in the next major version.
I've made a correction to the sample code above. It used to read:
But the corrected version is: