如何将 SameSite 属性自动添加到我的 Asp.net_SessionID cookie? [英] how SameSite attribute added to my Asp.net_SessionID cookie automatically?

问题描述

最近samesite=lax 自动添加到我的会话cookie！此属性只是添加到 sessionID:"Set-Cookie ASP.NET_SessionId=zana3mklplqwewhwvika2125; path=/; HttpOnly; **SameSite=Lax**"

Recently samesite=lax add automatically to my session cookie! this attribute just add to sessionID: "Set-Cookie ASP.NET_SessionId=zana3mklplqwewhwvika2125; path=/; HttpOnly; **SameSite=Lax**"

我的网站托管在 IIS 8.5、Windows 2012 R2 上，没有 WAF 或 UrlRewrite，我关闭了 AntiVirus (kasper).

My website hosted on IIS 8.5, Windows 2012 R2, and dont have WAF or UrlRewrite and I turn off AntiVirus (kasper).

但在某些客户服务器上仍然存在同样的问题.

but yet have same problem on some customer servers.

有什么想法吗?

已我发现这个:https://support.microsoft.com/en-us/help/4524419/kb4524419

当 HttpCookie.SameSite 值为无"时，ASP.NET 现在将发出 SameSite cookie 标头，以适应 Chrome 中 SameSite cookie 处理即将发生的变化.作为此更改的一部分，FormsAuth 和 SessionState cookie 也将使用 SameSite = 'Lax' 而不是之前的默认值 'None' 发出，尽管这些值可以在 web.config 中覆盖.

ASP.NET will now emit a SameSite cookie header when HttpCookie.SameSite value is 'None' to accommodate upcoming changes to SameSite cookie handling in Chrome. As part of this change, FormsAuth and SessionState cookies will also be issued with SameSite = 'Lax' instead of the previous default of 'None', though these values can be overridden in web.config.

如何在 web.config 中覆盖 SessionState 的相同站点 cookie?我添加了这一行，但它不适用于 SessionID cookie！<httpCookies sameSite="Unspecified"/>

How can i overridde samesite cookies for SessionState in web.config? i add this line, but it not work on SessionID cookie! <httpCookies sameSite="Unspecified" />

我发现这个:https://docs.microsoft.com/en-us/dotnet/api/system.web.configuration.sessionstatesection.cookiesamesite?view=netframework-4.8#System_Web_Configuration_SessionStateSection_CookieSameSite

通过SessionState标签的cookieSameSite"属性为stateserver设置samesite.

Set samesite for stateserver by "cookieSameSite" attribute of SessionState tag.

推荐答案

我不能使用重写，因为 UrlRewrite 没有安装在我所有的客户服务器上.

I can't use rewrite, because UrlRewrite not installed on all my customers servers.

最后我将 cookieSameSite 添加到我的 web.config:

Finally i add cookieSameSite to my web.config:

<sessionState mode="StateServer" cookieSameSite="None" sqlConnectionString="data source=(local);user id=sa;password=" cookieless="false" timeout="20" />

这篇关于如何将 SameSite 属性自动添加到我的 Asp.net_SessionID cookie?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！