Remove From My Forums

Chrome Samesite Problem

Question
0

Sign in to vote
User-549756379 posted

Hi,

I update my google chrome and visual studio to last stable version now I have problem to delete my cookie

Everything configured SameSite Like " sessionState to cookieSameSite="None" requireSSL="true" "

All cookie set on

https is On

SameSite = SameSiteMode.None

Secure = true

But chrome send this error :

Mark cross-site cookies as Secure to allow setting them in cross-site contexts

Cookies marked with SameSite=None must also be marked with Secure to allow setting them in a cross-site context. This behavior protects user data from being sent over an insecure connection.

Resolve this issue by updating the attributes of the cookie:

Specify SameSite=None and Secure if the cookie is intended to be set in cross-site contexts. Note that only cookies sent over HTTPS may use the Secure attribute.
Specify SameSite=Strict or SameSite=Lax if the cookie should not be set by cross-site requests

other Browser has no problem everything work fine,

plz guide me

Thanks
Wednesday, July 29, 2020 8:51 AM

Answers

User-939850651 posted

Hi O.Masnournia,

I created a simple example of this problem, created a cookie in Index, and deleted it in Welcome. In fact, it was successfully deleted.
But when I change the Secure property to false, it will not be able to delete cookies.

public IActionResult Index()
        {
            var cookieOptions = new CookieOptions
            {
                Secure = true,
                HttpOnly = true,
                SameSite = SameSiteMode.None
            };
            Response.Cookies.Append("test", "test value", cookieOptions);
            //var value = HttpContext.Request.Cookies["test"];
            var cookieValue = Request.Cookies["test"];
            ViewData["cookieValue"] = cookieValue;
            return View();
        }

        public IActionResult Welcome()
        {
            Response.Cookies.Delete("test", new CookieOptions
            {
                Secure = true,
                HttpOnly = true,
                SameSite = SameSiteMode.None
            });
            var cookieValue = Request.Cookies["test"];
            ViewData["cookieValue"] = cookieValue;
            return View();
        }

Index page:

<h1>Index</h1>
<h2>@ViewData["cookieValue"]</h2>
<a href="/user/Welcome">to welcome page</a>

Welcome page:

<h1>Welcome</h1>

Cookie:
<b>
    @if (ViewData["cookieValue"] == null)
    {
        <label>Cookie has deleted</label>
    }
    else
    {
        <label>@ViewData["cookieValue"]</label>
    }
</b>

So I think you need to double check whether the correct attribute value is set for it.

If possible, please provide more information, including relevant sample codes and related settings.

Best regards,

Xudong Peng

Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM

Friday, July 31, 2020 10:18 AM

0

Sign in to vote
User-549756379 posted

Yes,

var cookie = Request.Cookies["CookiName"];
cookie.Secure = true;
cookie.SameSite = SameSiteMode.None;
cookie.Expires = DateTime.Now.AddYears(-1);
cookie.Value = "";
HttpContext.Current.Response.Cookies.Add(cookie);
- Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
Friday, July 31, 2020 10:21 AM

All replies

0

Sign in to vote

User-939850651 posted

Hi O.Masnournia,

O.Masnournia
I update my google chrome and visual studio to last stable version now I have problem to delete my cookie

According to your description, I guess that the Chrome client version you are using is not compatible with SameSite = None.

And Google begin to impose new cookie policies by default for users beginning with Chrome 80, which is slated to be released in early 2020.

In the new specification Google defines that in order to set a Cookie with SameSite=None, you also have to set the Secure flag.

For more details, please refer to the link below:

SameSite=None: Known Incompatible Clients

How To Correctly Delete Your SameSite Cookies In Chrome (80+)

[Http Foundation] Fix clear cookie samesite

Best regards,

Xudong Peng

Thursday, July 30, 2020 6:15 AM
0

Sign in to vote

User-549756379 posted

Hi, My Google chrome version is

Version 84.0.4147.105

Thursday, July 30, 2020 6:26 AM
0

Sign in to vote

User-939850651 posted

Hi O.Masnournia,

Could you provide the version of .NET Core?

As mentioned in the link I gave, there is another problem: ASP.NET Core authentication cookies are handled differently and managed by CookieManager. Unfortunately, because the old specification does not require security flags, the CookieManager code in .NET Core Framework(and .NET Full Framework) will not copy it into the actual Cookies.Delete() call at all.

This problem will be resolved in .NET Core 2.1 and .NET Core 3.x, but .NET Core 2.2 will not.

If you are using .NET Core 2.2, you probably should update to .NET Core 3.

Best regards,

Xudong Peng

Thursday, July 30, 2020 9:35 AM
0

Sign in to vote

User-549756379 posted

Hi, I Use .Net 4.8

Thursday, July 30, 2020 2:33 PM