Follow @endyourif rss Facebook LinkedIn

Solution to SameSite None iFrames with C# Solution to SameSite None iFrames with C#

Published on Jan 27, 2020

There has been a lot of kerfuffle over Chrome's upcoming change to how cookies are based when one website is iFraming another website in an effort to further improve the security of the Internet.

At the end of the day, the solution is to set your cookies - specifically the .ASPXAUTH cookie - so that when users navigate the website of the iFrame source the cookies will be passed from page-to-page. This is very important to those who are using FormAuthentication.

The solution requires two changes. Let's look at them now.

Fixing SameSite None with FormAuthentication

The first part of the solution is to perform a .NET upgrade. The KB4524420 needs to be applied to your web servers.

This is an important update because it allows for the enum option "None" with the SameSite setting. It also, by defaults, sets SameSite to Lax by default with FormAuthentication.

The second part of the solution is to update your Web.config:


In each of the XML attributes (httpCookies, sessionState, and forms) above I've added sameSite="None". If you haven't already done so in the past, you also need to set requireSSL="true" for httpCookies and forms.

This also requires your site being under SSL; very important to not forget this!

Tags: ASP.NET MVC and Web API Tutorial | c# | samesite | iframe

My Books
ASP.NET MVC 5 With Bootstrap and Knockout.js
Knockout.js Building Dynamic Client-Side Applications
20 Recipes for Programming MVC 3
20 Recipes for Programming PhoneGap
Rapid Application Development with CakePHP