Deployment slots cookies on app services are missing the SameSite attribute

Question

Hello,

A lot of the applications we develop are used from within iframes (there is no reasonable way around that, sadly). This nowadays, with all modern browsers, means that all cookies for our application MUST contain the ‘SameSite’ attribute, with a value of ‘None’. Otherwise the browser will not include them with successive requests to our Azure App Service instances.

When using deployment slots, Azure appends and uses it's own cookies to determine the deployment slot for a specific HTTP request. So far so good, yet the problem is that Azure currently does not set the ‘SameSite’ attribute at all, as is demonstrated in this image:

And so we can’t currently use deployment slots properly with our App Service instances, since having to tell customers, or even our consultants, to manually set the SameSite attribute to ‘None’ within their browser’s development console, to test deployments before publishing them to all users, is not going to work.

The ARR affinity cookie already supports this attribute out of the box, by adding a 2nd cookie specifically for it. Is it possible to add the SameSite attribute to the deployment slot cookies as well?

Answer 1

@Kornelis Those are certainly modern browsers that should not be impacted by the changes I previously mentioned.

We expanded our investigation and came across an update that we would like to share with you. It was recently discovered that the x-ms-routing and TipMix cookies are missing from requests if SameSite=None. This is the same issue you're reporting. This has been a feature request since February, which can be viewed here. The product group has gone ahead and added this functionality to app services. Unfortunately, it missed build 95(July) and has been included in build 96(August). Please note that build 95 was paused for a few days, which delayed it's rollout. Build 95 has started rolling out again as of yesterday and should complete shortly.

In regards to build 96, which will need build 95 to complete it's rollout, it's slated for August/September now due to the pause in rolling out 95. This is the most accurate date we can currently provide and please note this can change to ensure a quality rollout.

To view what build you are currently on, please navigate to https://sitename.scm.azurewebsites.net and replace sitename with the name of your web app.

Please let us know if you have concerns or questions about this and we can work to try and address them in a follow up reply if necessary. Otherwise, it should be just a little bit longer until this functionality is added. Thank you for your patience and understanding.