There has been a lot of kerfuffle over Chrome’s upcoming change to how cookies are based when one website is iFraming another website in an effort to further improve the security of the Internet.
At the end of the day, the solution is to set your cookies – specifically the .ASPXAUTH cookie – so that when users navigate the website of the iFrame source the cookies will be passed from page-to-page. This is very important to those who are using FormAuthentication.
The solution requires two changes. Let’s look at them now.
Fixing SameSite None with FormAuthentication
The first part of the solution is to perform a .NET upgrade. The KB4524420 needs to be applied to your web servers.
This is an important update because it allows for the enum option “None” with the SameSite setting. It also, by defaults, sets SameSite to Lax by default with FormAuthentication.
The second part of the solution is to update your Web.config:
[code]
[/code]
In each of the XML attributes (httpCookies, sessionState, and forms) above I’ve added sameSite=”None”. If you haven’t already done so in the past, you also need to set requireSSL=”true” for httpCookies and forms.
This also requires your site being under SSL; very important to not forget this!
Other useful articles
September 19, 2012 The Best Way to Prevent SQL Injection (1)
April 14, 2019 Dependent DLL is not getting copied to the build output folder in Visual Studio (0)
March 6, 2019 Compile Views with your MVC project (0)
June 30, 2022 C# Convert date from UTC to EST (0)
February 27, 2019 MVC: Accessing the RouteData inside of your C# code (0)
