Share via

App Service multi-instances application - InProc sessionstate, ArrAffinity cookie, SameSite attribute and last version of Chrome

Mab-SS 21 Reputation points
2020-09-10T17:17:39.257+00:00

Hi,

We have an Asp.net web application hosted in an Azure App Service with multiple instances. SessionState is stored "InProc". Load balancing between instances is managed by the built-in ARR module.
For business reasons, some of our partners use this application inside an iFrame, which is comparable as cross-site scenario.

Since last Chrome version we encountered some problems because Chrome, by default in cross-site scenarios, refused cookies that don't have "SameSite=none" and "secure" attributes.

The "ARRAffinity" cookie emited by ARR module does not have these attributes.
23921-image.png

I found a workaround for all other cookies emited by the application that were in the same situation by using <rewrite> section in web.config but it seems ARRAfinity is not affected by my rules, meaning cookie is probably managed later in the request lifecyle, by the load balancer.

Is there a way to configure/force this cookie to have SameSite=none and Secure attributes ?

Thanks for help

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,397 questions
0 comments
Accepted answer
  1. SnehaAgrawal-MSFT 20,781 Reputation points
    2020-09-11T14:22:28.837+00:00

    Thanks for asking question! The recommendation for those who require both session management and are unable to use cookies without the SameSite setting, it suggested to adopt a different session management mechanism, such as Redis or Memcached.

    You may investigate this feedback which was already created.

    Also, if you have additional query on this please send us an email to AzCommunity[at]Microsoft[dot]com referencing this issue.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Mab-SS 21 Reputation points
    2020-09-17T21:03:19.15+00:00

    Thanks @SnehaAgrawal-MSFT for your answer.

    Yes we think about this solution.
    But using a distributed storage like Redis or MemCached to handle session management will have an additionnal cost (significant with Redis for a website having some trafic)....

    The feedback you mention is very old and the Azure App Service Team response is no more accurate, I think.
    The problem that occurs now with the recent Chrome version will probably occur in Edge in the next months, while Chrome and the new Edge are each one based on the Chromium project which has enforced security default parameters regarding cookies policies.

    Anyway thanks for your help
    Best regards

    0 comments