通常基于浏览器设置ASP.NET会话和身份验证cookie相同的站点值

Question

我已经对我的web.config进行了以下更改，并且能够使用samesite = none并安全地为身份验证和会话cookie提供服务器。

问题是对于诸如chrome 51-66之类的浏览器，发送samesite = none会使Cookie无效，然后用户没有会话且无法登录。https://www.chromium.org/updates/same-site/incompatible-clients

有没有一种方法可以扩展创建这些cookie的类，或者以其他方式基于浏览器/用户代理有条件地设置相同站点参数

<system.web>
    <httpCookies sameSite="None"/>
    <sessionState cookieSameSite="None" />
    <authentication mode="Forms">
        <forms cookieSameSite="None" />
    </authentication>

Answer 1

虽然不是一个完整的解决方案（因为它只覆盖用例中的会话cookie，但我手动设置了表单身份验证cookie，但我在MVC5应用程序中实现了以下内容来处理SameSite属性的设置：

protected void Session_Start(object sender, EventArgs e)
{
    var cookie = Response.Cookies["ASP.NET_SessionId"];
    if (cookie != null)
        cookie.SameSite = SameSiteCookieUtils.GetSameSiteMode(Request.UserAgent, SameSiteMode.None);
}

// Ref https://docs.microsoft.com/en-us/aspnet/core/security/samesite?view=aspnetcore-3.1#supporting-older-browsers
public static class SameSiteCookieUtils
{
    /// <summary>
    /// -1 defines the unspecified value, which tells ASPNET to not send the SameSite attribute
    /// </summary>
    public const SameSiteMode Unspecified = (SameSiteMode) (-1);

    public static SameSiteMode GetSameSiteMode(string userAgent, SameSiteMode mode)
    {
        if (mode == SameSiteMode.None && DisallowsSameSiteNone(userAgent))
            return Unspecified;

        return mode;
    }

    public static bool DisallowsSameSiteNone(string userAgent)
    {
        // Cover all iOS based browsers here. This includes:
        // - Safari on iOS 12 for iPhone, iPod Touch, iPad
        // - WkWebview on iOS 12 for iPhone, iPod Touch, iPad
        // - Chrome on iOS 12 for iPhone, iPod Touch, iPad
        // All of which are broken by SameSite=None, because they use the iOS networking
        // stack.
        if (userAgent.Contains("CPU iPhone OS 12") ||
            userAgent.Contains("iPad; CPU OS 12"))
        {
            return true;
        }

        // Cover Mac OS X based browsers that use the Mac OS networking stack.
        // This includes:
        // - Safari on Mac OS X.
        // This does not include:
        // - Chrome on Mac OS X
        // Because they do not use the Mac OS networking stack.
        if (userAgent.Contains("Macintosh; Intel Mac OS X 10_14") &&
            userAgent.Contains("Version/") && userAgent.Contains("Safari"))
        {
            return true;
        }

        // Cover Chrome 50-69, because some versions are broken by SameSite=None,
        // and none in this range require it.
        // Note: this covers some pre-Chromium Edge versions,
        // but pre-Chromium Edge does not require SameSite=None.
        if (userAgent.Contains("Chrome/5") || userAgent.Contains("Chrome/6"))
        {
            return true;
        }

        return false;
    }
}

[DisallowsSameSiteNone逻辑来自Microsoft文档https://docs.microsoft.com/en-us/aspnet/core/security/samesite?view=aspnetcore-3.1#supporting-older-browsers

我也在web.config中设置了以下内容>

<httpCookies httpOnlyCookies="true" requireSSL="true" />
希望其中一些对您有用

通常基于浏览器设置ASP.NET会话和身份验证cookie相同的站点值

问题描述投票：1回答：1

1个回答

最新问题

通常基于浏览器设置ASP.NET会话和身份验证cookie相同的站点值

问题描述 投票：1回答：1

1个回答

最新问题

问题描述投票：1回答：1