Aspnetcore: SameSite=None not working in ASP.NET Core 2.1 targeting .NET Framework 4.7.2

Created on 10 Jan 2020  路  6Comments  路  Source: dotnet/aspnetcore

Describe the bug

The new SameSite=None behavior works properly in ASP.NET Core 2.1 projects running on .NET Core, but when I create a cookie the same way in ASP.NET Core running on .NET Framework 4.7.2 (with latest patches installed), it does not explicitly set SameSite=None on the cookie.

To Reproduce

In Visual Studio 2017 (15.9.18), create a new ASP.NET Core Web Application, targeting .NET Framework and ASP.NET Core 2.1.

Once the project is created, go into project properties and set the target framework to .NET Framework 4.7.2.

In Startup.ConfigureServices(), set options.CheckConsentNeeded = context => false; and options.MinimumSameSitePolicy = (SameSiteMode)(-1) in the cookie policy options.

Then, in Controllers\HomeController.cs, add a using Microsoft.AspNetCore.Http; directive, and then add the following code at the start of the Index() method:
Response.Cookies.Append($"SameSiteCookieTest", "frtw", new CookieOptions { Expires = DateTimeOffset.UtcNow.AddDays(1), SameSite = SameSiteMode.None, Secure = true });

Test the site with browser dev tools open, and inspecting the cookie and the HTTP response will both show that no "SameSite=None" is present on the cookie.

Following the same instructions (minus the change to target framework, which is unnecessary) using an ASP.NET Core 2.1 web application targeting .NET Core, and the "SameSite=None" will be present on the cookie as expected.

Further technical details

Update KB4533094 is installed, which I understand is the one that includes the SameSite changes for .NET Framework 4.7.2.

  • ASP.NET Core version: 2.1
    Microsoft.AspNetCore 2.1.7
    Microsoft.AspNetCore.CookiePolicy 2.1.14
    Microsoft.AspNetCore.Mvc 2.1.3
  • Include the output of dotnet --info

.NET Core SDK (reflecting any global.json):
Version: 2.1.510
Commit: e3fb0379d7

Runtime Environment:
OS Name: Windows
OS Version: 10.0.17763
OS Platform: Windows
RID: win10-x64
Base Path: C:\Program Files\dotnet\sdk\2.1.510\

Host (useful for support):
Version: 2.2.5
Commit: 0a3c9209c0

.NET Core SDKs installed:
1.1.7 [C:\Program Files\dotnet\sdk]
1.1.11 [C:\Program Files\dotnet\sdk]
1.1.14 [C:\Program Files\dotnet\sdk]
2.1.4 [C:\Program Files\dotnet\sdk]
2.1.100 [C:\Program Files\dotnet\sdk]
2.1.202 [C:\Program Files\dotnet\sdk]
2.1.500 [C:\Program Files\dotnet\sdk]
2.1.509 [C:\Program Files\dotnet\sdk]
2.1.510 [C:\Program Files\dotnet\sdk]
2.2.107 [C:\Program Files\dotnet\sdk]

.NET Core runtimes installed:
Microsoft.AspNetCore.All 2.1.6 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
Microsoft.AspNetCore.All 2.1.13 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
Microsoft.AspNetCore.All 2.1.14 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
Microsoft.AspNetCore.All 2.2.5 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
Microsoft.AspNetCore.App 2.1.6 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 2.1.13 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 2.1.14 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 2.2.5 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.NETCore.App 1.0.9 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 1.0.13 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 1.0.16 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 1.1.6 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 1.1.10 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 1.1.13 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 2.0.5 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 2.0.9 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 2.1.6 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 2.1.13 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 2.1.14 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 2.2.5 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]

  • The IDE (VS / VS Code/ VS4Mac) you're running on, and it's version
    Visual Studio Professional 15.9.18
area-servers
Source
picture oculys-andrew

Most helpful comment

@anurse @blowdart FYI the 2.1.14 and 2.2.8 patches missed updating a transitive dependency, leading to this discoverability issue on .NET. This isn't a problem for most .NET Core scenarios because the whole runtime is patched as a unit and loading rolls forward.

Current:
Microsoft.AspNetCore.CookiePolicy 2.1.14 (latest)
-> Microsoft.AspNetCore.Http 2.1.1 (latest)
-> Microsoft.Net.Http.Headers 2.1.1 (2.1.14 exists)
What it should be:
Microsoft.AspNetCore.CookiePolicy 2.1.14 (latest)
-> Microsoft.AspNetCore.Http 2.1.14 (does not currently exist)
-> Microsoft.Net.Http.Headers 2.1.14 (latest)

The work around is to add a direct reference to Microsoft.Net.Http.Headers 2.1.14.

It's unclear if this meets the bar for patching.

picture Tratcher on 10 Jan 2020
👍2

All 6 comments

@Tratcher will take a look here. @oculys-andrew can you provide a runnable project that reproduces the issue? If @Tratcher can't repro this we may need that to ensure we fully understand your context.

anurse picture anurse on 10 Jan 2020

@anurse Sure, here's one of the projects I tested this with:

zAspNetCoreOnFrameworkCookieTest3.zip

oculys-andrew picture oculys-andrew on 10 Jan 2020

Those .NET KBs only affect System.Web, they are not required for Asp.Net Core on .NET.

For a .NET Framework based Asp.Net Core app what you need to do is update the transitive nuget package dependencies. Microsoft.Net.Http.Headers is the dependency that directly affects the cookie behavior in this scenario. Your app transitively references Microsoft.Net.Http.Headers 2.1.1, you need to add a direct reference to 2.1.14. I did this for your repro app and it started working.
<PackageReference Include="Microsoft.Net.Http.Headers" Version="2.1.14" />

You wouldn't see this on .NET Core because the whole runtime is patched together, it doesn't rely on transitive nuget package references.

I'll add some clarifications to https://github.com/dotnet/aspnetcore/issues/14996.

Tratcher picture Tratcher on 10 Jan 2020
👍1

@anurse @blowdart FYI the 2.1.14 and 2.2.8 patches missed updating a transitive dependency, leading to this discoverability issue on .NET. This isn't a problem for most .NET Core scenarios because the whole runtime is patched as a unit and loading rolls forward.

Current:
Microsoft.AspNetCore.CookiePolicy 2.1.14 (latest)
-> Microsoft.AspNetCore.Http 2.1.1 (latest)
-> Microsoft.Net.Http.Headers 2.1.1 (2.1.14 exists)
What it should be:
Microsoft.AspNetCore.CookiePolicy 2.1.14 (latest)
-> Microsoft.AspNetCore.Http 2.1.14 (does not currently exist)
-> Microsoft.Net.Http.Headers 2.1.14 (latest)

The work around is to add a direct reference to Microsoft.Net.Http.Headers 2.1.14.

It's unclear if this meets the bar for patching.

Tratcher picture Tratcher on 10 Jan 2020
👍2

@Tratcher Thanks for your work, and the workaround! All works as expected for me now.

oculys-andrew picture oculys-andrew on 13 Jan 2020

Resolved via doc and announcement updates.
https://github.com/aspnet/Announcements/issues/390#issuecomment-575385338
https://github.com/dotnet/aspnetcore/issues/14996#issuecomment-573218852
https://github.com/aspnet/AspNetCore.Docs/pull/16570

Tratcher picture Tratcher on 16 Jan 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

rynowak picture rynowak  路  3Comments
ipinak picture ipinak  路  3Comments
rbanks54 picture rbanks54  路  3Comments
TanvirArjel picture TanvirArjel  路  3Comments
bgribaudo picture bgribaudo  路  3Comments