Recently samesite=lax add automatically to my session cookie!
this attribute just add to sessionID:
"Set-Cookie ASP.NET_SessionId=zana3mklplqwewhwvika2125; path=/; HttpOnly; **SameSite=Lax**"
My website hosted on IIS 8.5, Windows 2012 R2, and dont have WAF or UrlRewrite and I turn off AntiVirus (kasper).
but yet have same problem on some customer servers.
any idea?
EDITED: I Find this: https://support.microsoft.com/en-us/help/4524419/kb4524419
ASP.NET will now emit a SameSite cookie header when HttpCookie.SameSite value is 'None' to accommodate upcoming changes to SameSite cookie handling in Chrome. As part of this change, FormsAuth and SessionState cookies will also be issued with SameSite = 'Lax' instead of the previous default of 'None', though these values can be overridden in web.config.
How can i overridde samesite cookies for SessionState in web.config?
i add this line, but it not work on SessionID cookie!
<httpCookies sameSite="Unspecified" />
EDITED: I find this: https://learn.microsoft.com/en-us/dotnet/api/system.web.configuration.sessionstatesection.cookiesamesite?view=netframework-4.8#System_Web_Configuration_SessionStateSection_CookieSameSite
Set samesite for stateserver by "cookieSameSite" attribute of SessionState tag.
I can't use rewrite, because UrlRewrite not installed on all my customers servers.
Finally i add cookieSameSite to my web.config:
<sessionState mode="StateServer" cookieSameSite="None" sqlConnectionString="data source=(local);user id=sa;password=" cookieless="false" timeout="20" />