SameSite cookies - mattchenderson/microsoft-identity-web GitHub Wiki
SameSite is a standard that aims to prevent cross-site request forgery (CSRF) attacks. Originally drafted in 2016, it was updated in 2019. The latest version not being backwards compatible. The 2016 specification added a SameSite attribute to the HTTP cookies with possible values Lax and Strict. The 2019 version added a None value and set Lax as the default. See links below for more information.
Handling incompatible browsers
Since some previous versions of browsers are incompatible with new SameSite behavior, Microsoft Identity Web provides a workaround. HandleSameSiteCookieCompatibility method in CookiePolicyOptionsExtensions class verifies if the browser supports the None value. If it doesn't, the library tells ASP.NET not to set the SameSite attribute. DisallowsSameSiteNone method performs the parsing of the user agent. One overload of HandleSameSiteCookieCompatibility method does allow developers to specify their own implementation.
Updating cookie options
If a developer wants to modify the behavior of ASP.NET authentication cookie, AddMicrosoftIdentityWebApp method accepts a configuration action. The code snippet below shows how the authentication cookie can be set to SameSite=None.
services
.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(
options => {
Configuration.Bind("AzureAdB2C");
},
options => {
options.Cookie.SameSite = SameSiteMode.None;
options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
options.Cookie.IsEssential = true;
});
Alternatively, a Configure or PostConfigure method can be used to achieve the same result (after the call to AddMicrosofIdentitytWebApp)
services.Configure<CookieAuthenticationOptions>(CookieAuthenticationDefaults.AuthenticationScheme, options => {
options.Cookie.SameSite = SameSiteMode.None;
options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
options.Cookie.IsEssential = true;
});
Further reading
More information can be found in these articles: