Aspnetcore: [2.1] Trouble deleting SameSite=None cookies without Secure

Mitigation: The CookieManager can be set, replace the 2.1 ChunkingCookieManager with the code from 3.0. You may also be able to adjust this behavior using CookiePolicy similar to the example shown in aspnet/AspNetCore#14996.

This seems like it would meet the 2.1 bar for me. It requires a large workaround (that is basically porting the 3.0 change). The original SameSite changes met the bar and this is a clear continuation of that work. (cc @Pilchie in case he has thoughts)

I think the commit which just could be cherry-picked is https://github.com/aspnet/AspNetCore/commit/6fa9398781531fe2702f2cab34a5ab4883568150#diff-2f4e8f46b2b0ca7fa8ec27a1608968d5.

@anurse And 2.2?

2.2 will be end-of-life on December 23rd, 2019. Our next patch will be in January. So no, 2.2 will not be patched with this change.

Mitigation: The CookieManager can be set, replace the 2.1 ChunkingCookieManager with the code from 3.0. You may also be able to adjust this behavior using CookiePolicy similar to the example shown in #14996.

Just to double-check:
@Tratcher Is it really as simple as copying that patched class in your project and setting a new instance of it to the CookieAuthenticationOptions.CookieManager property when configuring the services?

It does not help to put that in the DI, as its not taken from there anyways, right?

@gingters a copy should work, though I haven't tried it yet. You will want to rename it.

You're correct that DI is not involved here.

@anurse Hi, just to confirm, was this fix released in 2.1.16? Does .NET Framework 4.8 have this issue, if so when will that be patched?

@daver77 yes this has been fixed in 2.1.16 which is the planned Feb patch releasing soon.

There's no comparable API in .NET Framework unless you're using Microsoft.Owin?

Thanks, yeah I'm using owin, openid using identityserver4.

For Microsoft.Owin you need to use version 4.1.0 for these scenarios.