-
Notifications
You must be signed in to change notification settings - Fork 218
SameSite cookies
SameSite is a standard that aims to prevent cross-site request forgery (CSRF) attacks. Originally drafted in 2016, it was updated in 2019. The latest version not being backwards compatible. The 2016 specification added a SameSite attribute to the HTTP cookies with possible values Lax
and Strict
. The 2019 version added a None
value and set Lax
as the default. See links below for more information.
Since some previous versions of browsers are incompatible with new SameSite behavior, Microsoft Identity Web provides a workaround. HandleSameSiteCookieCompatibility
method in CookiePolicyOptionsExtensions
class verifies if the browser supports the None
value. If it doesn't, the library tells ASP.NET not to set the SameSite attribute. DisallowsSameSiteNone
method performs the parsing of the user agent. One overload of HandleSameSiteCookieCompatibility
method does allow developers to specify their own implementation.
If a developer wants to modify the behavior of ASP.NET authentication cookie, AddMicrosoftIdentityWebApp
method accepts a configuration action. The code snippet below shows how the authentication cookie can be set to SameSite=None
.
services
.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(
options => {
Configuration.Bind("AzureAdB2C");
},
options => {
options.Cookie.SameSite = SameSiteMode.None;
options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
options.Cookie.IsEssential = true;
});
Alternatively, a Configure
or PostConfigure
method can be used to achieve the same result (after the call to AddMicrosofIdentitytWebApp
)
services.Configure<CookieAuthenticationOptions>(CookieAuthenticationDefaults.AuthenticationScheme, options => {
options.Cookie.SameSite = SameSiteMode.None;
options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
options.Cookie.IsEssential = true;
});
More information can be found in these articles:
- Home
- Why use Microsoft Identity Web?
- Web apps
- Web APIs
- Using certificates
- Minimal support for .NET FW Classic
- Logging
- Azure AD B2C limitations
- Samples
- Web apps
- Web app samples
- Web app template
- Call an API from a web app
- Managing incremental consent and conditional access
- Web app troubleshooting
- Deploy to App Services Linux containers or with proxies
- SameSite cookies
- Hybrid SPA
- Web APIs
- Web API samples
- Web API template
- Call an API from a web API
- Token Decryption
- Web API troubleshooting
- web API protected by ACLs instead of app roles
- gRPC apps
- Azure Functions
- Long running processes in web APIs
- Authorization policies
- Generic API
- Customization
- Logging
- Calling graph with specific scopes/tenant
- Multiple Authentication Schemes
- Utility classes
- Setting FIC+MSI
- Mixing web app and web API
- Deploying to Azure App Services
- Azure AD B2C issuer claim support
- Performance
- specify Microsoft Graph scopes and app-permissions
- Integrate with Azure App Services authentication
- Ajax calls and incremental consent and conditional access
- Back channel proxys
- Client capabilities