SameSite Cookie Configuration for IIS on Exchange Server 2019

Step to IT 125 Reputation points
2025-03-19T12:21:32.87+00:00

Exchange Server 2019 is in use within the organization, and during a recent system security audit, the security department's penetration tests identified a vulnerability related to the "SameSite" attribute of cookies being set to "None".

Is it possible to change the "SameSite" cookie attribute to "Strict" or "Lax"? If it is possible, what steps are necessary to implement this change? Additionally, is it essential to make this modification?

Efforts were made to address this issue by editing the "web.config" file and utilizing the "URL Rewrite Module" in IIS, but these attempts did not produce the desired outcome.

Exchange | Exchange Server | Management
0 comments No comments
{count} votes

Accepted answer
  1. Anonymous
    2025-03-20T02:44:49.84+00:00

    Hi @Step to IT ,

    Welcome to the Microsoft Q&A platform!

    It is possible to change the SameSite attribute of a cookie to either Strict or Lax, depending on your needs and the target browser. For example, in Chromium browsers cookies must be treated as SameSite=Lax, and for the modifications you mentioned, they cannot override the cookie attributes generated by the application code. Here is some documentation for your reference:
    https://learn.microsoft.com/en-us/aspnet/samesite/system-web-samesite#using-samesite-in-aspnet-472-and-48
    https://learn.microsoft.com/en-us/azure/application-gateway/configuration-http-settings#cookie-based-affinity


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.