Add example for ASP.NET prior to 4.7.2.

[a-habib]

ASP.NET prior to 4.7.2 do not support the SameSite attribute of the HttpCookie object. Therefore, the cookie needs to be overwritten using the Set-Cookie header with the samesite attribute added.

[rowan-m]

@Tratcher @anurse are you able to confirm if this is correct? Thanks!

[Tratcher]

No, this is not a good idea, the PreSendRequestHeaders event has been disavowed as unstable. @blowdart is writing up samples for older versions over at https://github.com/blowdart/AspNetSameSiteSamples.

[rowan-m]

Thank you!

[a-habib]

blowdart's branch is exhaustive and likely will become an official solution for Microsoft. I will remove the fork.

[blowdart]

I think you mean exhausting, but yes, that's my hope. It'll get moved over to an msft org repo once its complete and the docs people have a run through the instructions.

But thank you for trying to fill in the holes @a-habib I do appreciate it.

[a-habib]

I mean exhaustive as in thorough or complete. But yes exhausting is also an appropriate way to describe the work that needs to be put in. Thank you for covering all the bases for us.

[a-habib]

Your solution to intercept session and forms authentication cookies do not work in the 4.5.2 example. Trying to coerce the path property with the sameSite attribute removes the cookie value and the cookie becomes unusable. In the screenshot you provided on your readme page, you show the authentication cookie set with sameSite=none but you have set the value to "authentication" which is not a valid ASP.NET authentication token.

[blowdart]

Correct. You need to target a version of .net that actually has same site support if you want to change session or auth cookies.

---

From: a-habib notifications@github.com Sent: Tuesday, February 4, 2020 5:27:29 PM To: GoogleChromeLabs/samesite-examples samesite-examples@noreply.github.com Cc: Barry Dorrans github.com@idunno.org; Mention mention@noreply.github.com Subject: Re: [GoogleChromeLabs/samesite-examples] Add example for ASP.NET prior to 4.7.2. (#17)

Your solution to intercept session and forms authentication cookies do not work in the 4.5.2 example. Trying to coerce the path property with the sameSite attribute removes the cookie value and the cookie becomes unusable. In the screenshot you provided on your readme page, you show the authentication cookie set with sameSite=none but you have set the value to "authentication" which is not a valid ASP.NET authentication token.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/GoogleChromeLabs/samesite-examples/pull/17?email_source=notifications&email_token=AAGCNCXUFW72NDLONBBGKV3RBIIYDA5CNFSM4KM675EKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEKZ2GXY#issuecomment-582198111, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AAGCNCU23XL3FNMFVKUQK7TRBIIYDANCNFSM4KM675EA.

[a-habib]

But quoting from your page on the ASP.NET 4.5.2. This is implying to me that your session and auth cookie intercept works for 4.5.2. The page does not mention changing the framework target version to 4.7.2.

Intercepting cookies you do not control

.NET 4.5.2 introduced a new event for intercepting the writing of headers, Response.AddOnSendingHeaders. This can be used to intercept cookies before they are returned to the client machine. In the sample we wire up the event to a static method which checks whether the browser supports the new sameSite changes, and if not, changes the cookies to not emit the attribute if the new None value has been set.

[blowdart]

Yes and the more I’ve tried it the less stable it is. Especially if you’re targeting .net 4.5 and running on 4.7.2 or later. We’re still trying to get something working, and as you can see it does not.

But if you want a supported config then get onto and target 4.7.2

---

From: a-habib notifications@github.com Sent: Tuesday, February 4, 2020 5:40:43 PM To: GoogleChromeLabs/samesite-examples samesite-examples@noreply.github.com Cc: Barry Dorrans github.com@idunno.org; Mention mention@noreply.github.com Subject: Re: [GoogleChromeLabs/samesite-examples] Add example for ASP.NET prior to 4.7.2. (#17)

But quoting from your page on the ASP.NET 4.5.2. This is implying to me that your session and auth cookie intercept works for 4.5.2. The page does not mention changing the framework target version to 4.7.2.

Intercepting cookies you do not control

.NET 4.5.2 introduced a new event for intercepting the writing of headers, Response.AddOnSendingHeaders. This can be used to intercept cookies before they are returned to the client machine. In the sample we wire up the event to a static method which checks whether the browser supports the new sameSite changes, and if not, changes the cookies to not emit the attribute if the new None value has been set.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/GoogleChromeLabs/samesite-examples/pull/17?email_source=notifications&email_token=AAGCNCU5TEAKPLAJ65I4ARDRBIKJXA5CNFSM4KM675EKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEKZ26TY#issuecomment-582201167, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AAGCNCSEU6UIRWJTSD2HKZTRBIKJXANCNFSM4KM675EA.

[a-habib]

When I created the fork I originally mentioned using the Response.AddHeader and using a Set-Cookie to force the attribute. That way I can overwrite the session and auth cookie with additional attributes such as sameSite.

I agree this is very hacky but I have tested it and it works in 4.5.2 quite consistently (so far). I know ideally we would switch to 4.7.2 but that is not always feasible (due to regression etc.) so this work around works for me for the time being (and gives me time to gradually move over to 4.7.2) without a sudden upgrade of the framework version.

[a-habib]

And Chrome 80 is upon us as we speak.

[blowdart]

The problem with it in 4.5.2 is that it just doesn’t work with auth and session cookies which are generally the ones you want to mess with.

---

From: a-habib notifications@github.com Sent: Tuesday, February 4, 2020 6:10:49 PM To: GoogleChromeLabs/samesite-examples samesite-examples@noreply.github.com Cc: Barry Dorrans github.com@idunno.org; Mention mention@noreply.github.com Subject: Re: [GoogleChromeLabs/samesite-examples] Add example for ASP.NET prior to 4.7.2. (#17)

When I created the fork I originally mentioned using the Response.AddHeader and using a Set-Cookie to force the attribute. That way I can overwrite the session and auth cookie with additional attributes such as sameSite.

I agree this is very hacky but I have tested it and it works in 4.5.2 quite consistently (so far). I know ideally we would switch to 4.7.2 but that is not always feasible (due to regression etc.) so this work around works for me for the time being (and gives me time to gradually move over to 4.7.2) without a sudden upgrade of the framework version.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/GoogleChromeLabs/samesite-examples/pull/17?email_source=notifications&email_token=AAGCNCQJKZ5JDKYPAVXV4QDRBIN2TA5CNFSM4KM675EKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEKZ4UAI#issuecomment-582208001, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AAGCNCUZ4WAGCW6LAUZY4YTRBIN2TANCNFSM4KM675EA.

[a-habib]

From my testing, when using the AddHeader Set Cookie in the PostAcquireRequestState in the application I can verify it works for session and auth cookies. The sameSite and Secure is set without deleting the token value.

[blowdart]

It’s very dependent on what your underlying framework is on the machine. Unless I can make it reliable, and I’m not sure I can, my only advice is update to a version of .net that understands samesite and not something released between five and nine years before it appeared.

---

From: a-habib notifications@github.com Sent: Tuesday, February 4, 2020 6:19:27 PM To: GoogleChromeLabs/samesite-examples samesite-examples@noreply.github.com Cc: Barry Dorrans github.com@idunno.org; Mention mention@noreply.github.com Subject: Re: [GoogleChromeLabs/samesite-examples] Add example for ASP.NET prior to 4.7.2. (#17)

From my testing, when using the AddHeader Set Cookie in the PostAcquireRequestState in the application I can verify it works for session and auth cookies. The sameSite and Secure is set without deleting the token value.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/GoogleChromeLabs/samesite-examples/pull/17?email_source=notifications&email_token=AAGCNCVWIHMFOXWSXRIFHHTRBIO27A5CNFSM4KM675EKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEKZ5DBA#issuecomment-582209924, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AAGCNCTID6TVETE4MCQNCVTRBIO27ANCNFSM4KM675EA.

[a-habib]

I have tested on Windows 10 with IISExpress with .NET 4.8 installed. I also have Server 2016 with only .NET 4.5.2 installed and it has worked in both cases. I will do more testing.