当SameSite =不安全时，Internet Explorer/Edge(非铬)添加其他SameSite = Lax [英] Internet Explorer/Edge (not chromium) add additional SameSite=Lax when SameSite=None Secure

问题描述

我在Microsoft Dynamics页面的iframe中加载了.NET MVC应用程序. 最初，用户将打开主页.家庭控制器将重定向到登录页面:

I have .NET MVC application loaded in iframe in Microsoft Dynamics page. Initially the user will open the home page. The home controller redirects to the login page:

return RedirectToAction("Index", "Login", new { returnUrl = redirectURL, error = errorMessage });

在此更新之前可以这样做 KB4533002 .NET的累积更新在SameSite为None或未指定时添加SameSite = Lax. 然后，我在网络配置中添加了出站规则，以发送 SameSite = None;安全.

This was OK before this update KB4533002 Cumulative Update for .NET adding SameSite=Lax when SameSite is None or not specified. Then I added outbound rules in the web config to send SameSite=None; Secure.

<rewrite>
      <outboundRules>
        <clear />
        <rule name="Add SameSite" preCondition="No SameSite">
          <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
          <action type="Rewrite" value="{R:0}; SameSite=None" />
        </rule>
        <rule name="Add Secure" preCondition="No Secure">
          <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
          <action type="Rewrite" value="{R:0}; Secure" />
        </rule>
        <preConditions>
          <preCondition name="No SameSite">
            <add input="{RESPONSE_Set_Cookie}" pattern="." />
            <add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=None" negate="true" />
          </preCondition>
          <preCondition name="No Secure">
            <add input="{RESPONSE_Set_Cookie}" pattern="." />
            <add input="{RESPONSE_Set_Cookie}" pattern="; Secure" negate="true" />
          </preCondition>
        </preConditions>
      </outboundRules>
    </rewrite>

这可在Chrome，Firefox和最新的Edge中使用.

This works in Chrome, Firefox and the latest Edge.

但是Internet Explorer和Edge(不是Chromium)正在添加其他SameSite:

But Internet Explorer and Edge (not Chromium) are adding additional SameSite:

HttpOnly: true
path:/
SameSite: Lax
SameSite: None
Secure: true

Edge Developer Tools中的屏幕截图

知道如何预防这种情况的人吗?

Anyone with idea how to prevent this?

推荐答案

谢谢Yu Zhou.这很有用，但是我将其设置为None而不是Unspecified.

Thank you Yu Zhou. This was helpful, but instead of Unspecified I set it to None.

<sessionState mode="SQLServer" sqlConnectionString="***" ... cookieless="UseCookies" cookieSameSite="None" />

这与出站规则(SameSite = None; Secure)对我有用.

This with the outbound rules (SameSite=None; Secure) worked for me.

这篇关于当SameSite =不安全时，Internet Explorer/Edge(非铬)添加其他SameSite = Lax的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！