Share via

Microsoft, .NET Framework 4.7.2, CSRF and Samesite

Marc Davis 1 Reputation point
2023-08-11T15:59:19.8966667+00:00

I have a question...and some of the information is a bit confusing so I wanted to get other confirmation/validation.

I have a webpages web site. Not a MVC or WebForms. Web Pages and it's in VB.NET and it's using .NET Framework 4.7.2

Our CheckMarx vulnerability app identified CSRF items.

CSRF appears to be centered on id's or tokens. It can be curtailed by the use of SameSite on the cookies.

The existing web.config has:

<httpCookies sameSite="None" requireSSL="true"/>

    <authentication mode="Forms">

      <forms requireSSL="true"/>

    </authentication>

And 

<sessionState cookieSameSite="None"  cookieless="false" timeout="360"/>

Now, this is where the confusing part comes in MS has an article that speaks of SameSite and this is why the above has None and Secure. But the article:

https://learn.microsoft.com/en-us/aspnet/samesite/system-web-samesite

Seems to say that SameSite and None and Secure are appropriate. Or should it be SameSite=Lax?

Is seems a bit confusing and hope somebody can help bring some sense to it.

ASP.NET
ASP.NET
A set of technologies in the .NET Framework for building web applications and XML web services.
3,307 questions
Visual Studio
Visual Studio
A family of Microsoft suites of integrated development tools for building applications for Windows, the web and mobile devices.
4,686 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bruce (SqlWork.com) 57,806 Reputation points
    2023-08-11T18:36:36.64+00:00

    When browsers implemented this feature, the default was strict., which broke a lot of sites, so everyone updated their cookies settings to none. It really should be set to strict but you may need to update your site to support it. See

    https://datatracker.ietf.org/doc/html/draft-west-first-party-cookies-07#section-2.1

  2. Lan Huang-MSFT 26,361 Reputation points Microsoft Vendor
    2023-08-14T05:43:50.96+00:00

    Hi @Marc Davis,

    Is seems a bit confusing and hope somebody can help bring some sense to it.

    You can read this blog which explains in detail the pros and cons of several properties of SameSite.

    SameSite=Lax is the default mode used when you don't explicitly specify a SameSite mode. From the MDN documentation:

    Means that the cookie is not sent on cross-site requests, such as on requests to load images or frames, but is sent when a user is navigating to the origin site from an external site (for example, when following a link). This is the default behavior if the SameSite attribute is not specified.

    SameSite=None means that the browser sends the cookie with both cross-site and same-site requests. The Secure attribute must also be set when setting this value, like so SameSite=None; Secure.

    The one advantage of SameSite=None is that cookies are always sent, so if you need a cookie to be sent cross site, it's your only choice, Strict and Lax won't work.

    The disadvantage of None cookies is that they do nothing to protect your from CSRF attacks, disabling the protections that Strict or Lax cookies would provide. For this reason, you generally shouldn't use SameSite=None by default. Only use it where it's strictly required.

    Defense against CSRF Principles

    Best regards,
    Lan Huang

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.