Adding SameSite Cookie Support In ASP.NET

Published on Thursday, February 23, 2017

I was reading Scott Helme's post on how CSRF is Dead because of the new Same Site cookie spec (which is supported in Chrome and soon FF).

I wanted to add support into KTOMG so I was trying to figure out how to modify my authentication flow to add the attribute. However, HttpCookie is sealed and can't be modified so what's a well meaning security citizen supposed to do?!

Well, thanks to this StackOverflow answer, it's actually pretty simple and can be done on any IIS website using URL rewrite!

        <clear />
        <rule name="Add SameSite" preCondition="No SameSite">
          <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
          <action type="Rewrite" value="{R:0}; SameSite=lax" />
          <preCondition name="No SameSite">
            <add input="{RESPONSE_Set_Cookie}" pattern="." />
            <add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=lax" negate="true" />

These outbound rules will add SameSite=lax to any Set-Cookie header in responses from your site (that are not already marked SameSite), so all cookies effectively set by your site become SameSite cookies.

In this case, I'm using Lax security (see Scott's post above for a good explanation of Lax vs. Strict) because I don't quite have the dual cookie authentication suggested by Scott (e.g. one to make yourself "known" and logged-in, the other that MUST be present on any secure page such as your Account page). I do plan to implement dual cookie auth whenever I get around to migrating to .NET Core.

About Kamran
Hi, I'm a professional full-stack developer who also loves to write, speak at conferences, work on side projects, contribute to open source, make games, and play them.
comments powered by Disqus