Identityserver4: How specify SameSite and Secure options on Cookies generate by IS4 on Chrome 80?

Created on 13 Mar 2020  路  8Comments  路  Source: IdentityServer/IdentityServer4

Question

How set "SameSite=None" and "Secure"options on Cookies generate by IS4 ?

Context

I use IS4 to authenticate to an ASP.Net Core API call by an Angular web site.
Since Chrome 80, cookies must be "SameSite=None" and "Secure" to be read by an other domain.

So i want try some change on Startup.cs, without succes...

public void ConfigureServices(IServiceCollection services)
{
    //...
    services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
    .AddCookie(options =>
    {
        options.Cookie.SameSite = SameSiteMode.None;
        options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
        options.Cookie.IsEssential = true;
    });
    //...
}

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    //...
    app.UseCookiePolicy(new CookiePolicyOptions
    {
        MinimumSameSitePolicy = SameSiteMode.None,
        Secure = CookieSecurePolicy.Always,
    });

    app.UseAuthentication();
    //...
}

Do you know how can i modify options "SameSite" and "Secure" on cookies generate by IS4 ?

Thanks

question
Source
picture DevReportOne

Most helpful comment

Thanks for your feedbacks.
I tried to follow the link https://www.thinktecture.com/en/identity/samesite/prepare-your-identityserver/ but without success :(

If that helps, my Startup.cs file is attached
Startup.txt

The main reason is code:

// Cover Chrome 50-69, because some versions are broken by SameSite=None
// and none in this range require it.
// Note: this covers some pre-Chromium Edge versions,
// but pre-Chromium Edge does not require SameSite=None.
// Notes from Thinktecture:
// We can not validate this assumption, but we trust Microsofts
// evaluation. And overall not sending a SameSite value equals to the same
// behavior as SameSite=None for these old versions anyways.
if (userAgent.Contains("Chrome/5") || userAgent.Contains("Chrome/6"))
{
return true;
}

This code only check if chrome is version 5x or 6x, but now chrome is 8x. You can modify the code by the following (sorry for my bad English):

// Cover Chrome 50-69, because some versions are broken by SameSite=None
// and none in this range require it.
// Note: this covers some pre-Chromium Edge versions,
// but pre-Chromium Edge does not require SameSite=None.
// Notes from Thinktecture:
// We can not validate this assumption, but we trust Microsofts
// evaluation. And overall not sending a SameSite value equals to the same
// behavior as SameSite=None for these old versions anyways.
// || userAgent.Contains("Chrome/8")

            if (userAgent.Contains("Chrome/5") || userAgent.Contains("Chrome/6"))
            {
                return true;
            }

            var chromeVersion = GetChromeVersion(userAgent);

            if (chromeVersion >= 80)
            {
                return true;
            }

function GetChromeVersion:

private static int GetChromeVersion(string userAgent)
{
try
{
var subStr = Convert.ToInt32(userAgent.Split("Chrome/")[1].Split('.')[0]);
return subStr;
}
catch (Exception)
{
return 0;
}
}

picture namnhcntt on 17 Mar 2020
👍2

All 8 comments

This should enable you to override the cookie options for the IS4 cookies.

// Override the CookieAuthenticationOptions for DefaultCookieAuthenticationScheme
// https://github.com/IdentityServer/IdentityServer4/blob/c30de032ec1dedc3b17dfa342043850638e84b43/src/IdentityServer4/src/Configuration/DependencyInjection/ConfigureInternalCookieOptions.cs#L28
services.Configure<CookieAuthenticationOptions>(IdentityServerConstants.DefaultCookieAuthenticationScheme, options =>
    {
        options.Cookie.SameSite = SameSiteMode.None;
        options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
        options.Cookie.IsEssential = true;
    });

Then use the External cookie authentication scheme for the external cookie.

connormulcahey picture connormulcahey on 15 Mar 2020

You can follow by this blog post: https://www.thinktecture.com/en/identity/samesite/prepare-your-identityserver/

namnhcntt picture namnhcntt on 16 Mar 2020

This should enable you to override the cookie options for the IS4 cookies.

// Override the CookieAuthenticationOptions for DefaultCookieAuthenticationScheme
// https://github.com/IdentityServer/IdentityServer4/blob/c30de032ec1dedc3b17dfa342043850638e84b43/src/IdentityServer4/src/Configuration/DependencyInjection/ConfigureInternalCookieOptions.cs#L28
services.Configure<CookieAuthenticationOptions>(IdentityServerConstants.DefaultCookieAuthenticationScheme, options =>
    {
        options.Cookie.SameSite = SameSiteMode.None;
        options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
        options.Cookie.IsEssential = true;
    });

Then use the External cookie authentication scheme for the external cookie.

This doesn't seems to take effect. I've set mine to Strict and put the Secure Policy to None, yet Chrome still receave a cookie with SameSite None.

Tri125 picture Tri125 on 16 Mar 2020

Thanks for your feedbacks.
I tried to follow the link https://www.thinktecture.com/en/identity/samesite/prepare-your-identityserver/ but without success :(

If that helps, my Startup.cs file is attached
Startup.txt

DevReportOne picture DevReportOne on 17 Mar 2020

"The setting SameSite=None will only work if the cookie is also marked as Secure and requires a HTTPS connection."

ddzsy picture ddzsy on 17 Mar 2020
👍1

Thanks for your feedbacks.
I tried to follow the link https://www.thinktecture.com/en/identity/samesite/prepare-your-identityserver/ but without success :(

If that helps, my Startup.cs file is attached
Startup.txt

The main reason is code:

// Cover Chrome 50-69, because some versions are broken by SameSite=None
// and none in this range require it.
// Note: this covers some pre-Chromium Edge versions,
// but pre-Chromium Edge does not require SameSite=None.
// Notes from Thinktecture:
// We can not validate this assumption, but we trust Microsofts
// evaluation. And overall not sending a SameSite value equals to the same
// behavior as SameSite=None for these old versions anyways.
if (userAgent.Contains("Chrome/5") || userAgent.Contains("Chrome/6"))
{
return true;
}

This code only check if chrome is version 5x or 6x, but now chrome is 8x. You can modify the code by the following (sorry for my bad English):

// Cover Chrome 50-69, because some versions are broken by SameSite=None
// and none in this range require it.
// Note: this covers some pre-Chromium Edge versions,
// but pre-Chromium Edge does not require SameSite=None.
// Notes from Thinktecture:
// We can not validate this assumption, but we trust Microsofts
// evaluation. And overall not sending a SameSite value equals to the same
// behavior as SameSite=None for these old versions anyways.
// || userAgent.Contains("Chrome/8")

            if (userAgent.Contains("Chrome/5") || userAgent.Contains("Chrome/6"))
            {
                return true;
            }

            var chromeVersion = GetChromeVersion(userAgent);

            if (chromeVersion >= 80)
            {
                return true;
            }

function GetChromeVersion:

private static int GetChromeVersion(string userAgent)
{
try
{
var subStr = Convert.ToInt32(userAgent.Split("Chrome/")[1].Split('.')[0]);
return subStr;
}
catch (Exception)
{
return 0;
}
}

namnhcntt picture namnhcntt on 17 Mar 2020
👍2

@namnhcntt you save me !

Indeed, i don't check the good version of chrome.

Thanks of your help

DevReportOne picture DevReportOne on 17 Mar 2020

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

lock[bot] picture lock[bot] on 17 Apr 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

mackie1001 picture mackie1001  路  3Comments
leksim picture leksim  路  3Comments
agilenut picture agilenut  路  3Comments
brockallen picture brockallen  路  3Comments
leastprivilege picture leastprivilege  路  3Comments