Announcement: SameSite Cookie Handling and .NET Framework 4.7.2 Patch Availability on Azure App Service
The new version of Chrome releasing in February 2020 is changing how it handles cross-site and iframe cookies. These changes affect all applications regardless of the language or framework used. Developers relying on these scenarios need to update their apps to handle these changes.
As part of Azure App Service’s January 2020 update, the service is installing .NET Framework patches that update how .NET framework apps handle the SameSite cookie property, which impacts cross-site and iframe cookie scenarios. The service is also deploying an App Service compatibility behavior that applies to all applications running on App Service for scenarios where a cookie has set the SameSite property to "None".
.NET Core versions on the App Service platform already contain updates for SameSite cookie handling and are not changing as part of the January 2020 service update.
[Updated: February 03,2020] The January 2020 Azure App Service deployment is completed (>99% completion) across the public Azure cloud, App Service Environments, and national clouds.
Since the updates are deployed incrementally across the service, applications will start running on the newer App Service payload at different times during the deployment period. Developers can determine if applications are running on the updated App Service payload by checking the version of App Service in the SCM site. The SCM site is available in the portal from the Development Tools --> Advanced Tools option. Alternatively, developers can navigate directly to the SCM site for an application using the following Url format: https://your-sitename-here.scm.azurewebsites.net.
For Windows App Service sites, the home page of the SCM site shows the Azure App Service version. If the version is 220.127.116.11 (or later), then the associated application is running on the newly patched version of App Service.
For Linux App Service sites, clicking on the Environment option in top menu of the SCM site will return a page with all of the sites’ environment variables. The resultant page will have a Url format like: https://your-sitename-here.scm.azurewebsites.net/Env. The PLATFORM_VERSION environment variable shows the current App Service version. If the version is 18.104.22.168 (or later), then the associated application is running on the newly patched version of App Service.
Information on Changes to Cross-Site Cookie Handling in the New Version of Chrome
Chrome is changing how cross-site cookies (and by extension iframe cookie scenarios) are handled by adopting a more stringent set of rules around how and when cross-site access to cookies is allowed. Detailed information on the changes to cross-site cookie handling in Chrome v80 is available at: https://blog.chromium.org/2019/10/developers-get-ready-for-new.html
The estimated date for when Chrome v80 will start rolling out with the new cookie handling behavior is available on this page under the Launch Timeline section: https://www.chromium.org/updates/same-site
Latest Guidance on Working With SameSite Cookies in ASP.NET
[Updated: February 28, 2020]
The latest updated guidance is available from this link: https://learn.microsoft.com/aspnet/samesite/system-web-samesite
This guidance includes links to sample browser detection code and cookie handling logic in the "Supporting older browsers" section.
Temporary Mitigation for Session State and Forms Authentication
[Updated: January 27, 2020]
.NET Framework sites that rely on sending session state cookies or forms authentication cookies in cross-site scenarios can include the following configuration snippets in web.config to temporarily revert to pre-patch cookie behavior:
<add key="aspnet:SuppressSameSiteNone" value="true" />
<forms cookieSameSite="None" />
<sessionState cookieSameSite="None" />
These settings have the cumulative effect of reverting forms authentication and session state to pre-patch behavior. The cookieSameSite configuration properties will configure forms authentication and session state to use None for the SameSite property in their respective cookies. The aspnet:SuppressSameSiteNone application setting will instruct .NET Framework to never send the SameSite=None property on the wire.
Important: The above configuration snippets are only a temporary mitigation. Once new browsers like Chrome v80 start rolling out SameSite changes, developers will need to remove the configuration snippets shown above, and will instead need to implement a code-based mitigation in their applications to dynamically handle different user agents.
Details on the .NET Framework Patch for SameSite
Specific details on differences in SameSite cookie handling included in the .NET Framework 4.7.2 patch are described in this article: https://support.microsoft.com/help/4533013/kb4533013-cumulative-update-for-net-framework.
With the .NET Framework patch installed, the .NET Framework changes the defaults for the cookieSameSite configuration property for Session State and Forms Authentication to "Lax". The .NET Framework also automatically sends the SameSite=None cookie property on the wire when HttpCookie.SameSite has been set to a value of "None".
Additional information about SameSite cookie handling with the .NET Framework is available in these articles:
Documentation on the forms authentication cookieSameSite default is available in this article:
Documentation on the session state cookieSameSite default is available in this article:
Additional information about SameSite cookie handling with .NET Core is available in this article:
Details on Azure App Service Compatibility Behavior
In addition to the .NET Framework patch, Azure App Service has introduced a compatibility behavior for the scenario where an HTTP/HTTPS response includes a cookie header with a SameSite property set to a value of "None", and the requesting user agent matches a specific subset of older browsers that do not support the newer 2019 SameSite standard and hence do not recognize the SameSite property of "None". When an older browser is detected, Azure App Service will automatically remove the SameSite=None cookie property if it is detected in the response headers.
The net effect of the App Service compatibility behavior is that a specific subset of older browsers won’t receive an unrecognized SameSite value (which can cause older browsers to revert to SameSite=Strict behavior), while newer browsers (like Chrome v80) will receive the SameSite=None cookie property.
The specific detection logic used by App Service for deciding when to remove the SameSite=None property from a response follows the pseudo-logic documented in this article:
It is recommended for developers to review their applications’ usage and reliance (if any) on the SameSite cookie property, and update application logic with user agent detection and special handling as appropriate for each application’s scenario. The App Service platform’s compatibility behavior is intended only as a partial mitigation to aid developers while applications are updated to handle the 2019 SameSite behavior implemented in newer browser versions.
Developers should also review additional browser requirements when cookies include the SameSite=None property. For example, Chrome v80 will only honor SameSite=None if the cookie is also marked with the Secure attribute, and the cookie is flowing over an HTTPS connection. More details are available in this article: https://blog.chromium.org/2019/10/developers-get-ready-for-new.html
The Azure App Service compatibility behavior is implemented on App Service’s network edge infrastructure. The behavior is active for all sites running on App Service, regardless of the language or framework used by the site. The compatibility functionality works for sites running on both the Linux and Windows variations of App Service, for App Service Environments, and for all national cloud deployments of Azure App Service.
Sign in to comment