Following the recent changes in Chrome 80, it is now required to specify SameSite=None on the cookies that needs to be sent across different sites.
I have identified an issue with my Asp.Net Core site when hosted on a frame on a different site. The WS-Federation authentication is currently broken because the SameSite=None attribute is missing from the .AspNetCore.Correlation cookie:
Set-Cookie: .AspNetCore.Correlation.WsFederation.qG-dtdsIcVBHSRW4SpPpqpMYMrueIrLfWLvElKrbyXg=N; expires=Fri, 17 Jan 2020 09:17:08 GMT; path=/signin-wsfed; secure; httponly
I have found a way to add SameSite=None to the cookie using the Cookie Policy Middleware:
app.UseCookiePolicy(new CookiePolicyOptions()
{
MinimumSameSitePolicy = SameSiteMode.None
});
This works fine, but this causes ALL cookies to be created with this attribute, which I would like to avoid. Would there be a less intrusive solution that could be applied to the correlation cookie only?
When you define the authentication scheme, you can change the settings for the correlation cookie. E.g.:
.AddWsFederation(o =>
{
o.CorrelationCookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.Lax;
})
Note from OP:
Beware that you need the .NET Core November 2019 Update installed on your server for this to work (else the SameSite attribute isn't issued). See this article.