Solution to SameSite None iFrames with C#


There has been a lot of kerfuffle over Chrome’s upcoming change to how cookies are based when one website is iFraming another website in an effort to further improve the security of the Internet.

At the end of the day, the solution is to set your cookies – specifically the .ASPXAUTH cookie – so that when users navigate the website of the iFrame source the cookies will be passed from page-to-page. This is very important to those who are using FormAuthentication.

The solution requires two changes. Let’s look at them now.

Fixing SameSite None with FormAuthentication

The first part of the solution is to perform a .NET upgrade. The KB4524420 needs to be applied to your web servers.

This is an important update because it allows for the enum option “None” with the SameSite setting. It also, by defaults, sets SameSite to Lax by default with FormAuthentication.

The second part of the solution is to update your Web.config:



In each of the XML attributes (httpCookies, sessionState, and forms) above I’ve added sameSite=”None”. If you haven’t already done so in the past, you also need to set requireSSL=”true” for httpCookies and forms.

This also requires your site being under SSL; very important to not forget this!

About the author

By Jamie

My Books