Shulou(Shulou.com)06/01 Report--

This article introduces the relevant knowledge of "ASP.NET Core Cookie SameSite". In the actual case operation process, many people will encounter such difficulties. Next, let Xiaobian lead you to learn how to deal with these situations! I hope you can read carefully and learn something!

Cookie is one of the most common state maintenance options in many projects. For example, a common example: after the user successfully logs in, the server sets the session Id to the current domain through set-cookie. When the front end invokes the backend interface, it will automatically carry the Cookie in the same domain, and then the backend interface obtains the session Id to verify the legitimacy of the user login status.

Students who have learned about Cookie related knowledge are relatively clear that the use of Cookies will cause security problems, such as CSRF (Cross-site request forgery) and XSSI (Cross Site Script Inclusion) attacks. To mitigate this risk, Google has developed a security mechanism called Cookie SameSite that has been used in mainstream browsers for a long time.

What is Cookie SameSite

SameSite is an attribute in Cookie, which is used to restrict the transmission of third-party (cross-domain) Cookie. SameSite has three values that can be set: Strict, Lax and None.

Strict

Strict is the strictest policy, under which browsers do not allow cookies to be sent from domain A to domain B. Assuming that the user has been logged in to domain B before, there is a jump link to domain B on a page in domain A. When clicking this jump link to domain B under domain A, there will be no login in domain B. This strategy is very safe, but it is not good in user experience, so it is not common to use it.

set-cookie: sid=0920770230c103809305605a;samesite=strictLax

Lax policy is broader than Strict, and most cases do not send third-party cookies, except for links (), preload requests, and GET forms. Assuming that the user has been logged in under domain B before, there is a link to domain B on a page in domain A. When clicking on this jump link under domain A to enter domain B, the login status will still be displayed under domain B. However, if an Ajax POST request is initiated under domain A to the interface of domain B, then the interface does not get the relevant Cookie. Although Lax policy still carries some risks, it is generally a relatively appropriate choice, so Lax is set as the default value for Cookie SameSite in some development languages.

set-cookie: sid=0920770230c103809305605a;samesite=laxNone

In actual use, there will be some scenarios that really need to support cross-domain Cookie delivery (such as the more common use of IFrame embedded in domain B links). At this time, you can choose to set SameSite to None, but there are preconditions for using None. It requires that the Secure attribute must be set to true at the same time, and the Secure setting true requires that domain B is accessed based on HTTPS protocol, otherwise it is still invalid.

set-cookie: sid=0920770230c103809305605a; secure; samesite=none Use in. NET Core

An ASP.NET Core Web application is an example

var options = new CookieOptions

{

Expires = DateTime.Now.AddHours(1),

};

_httpContextAccessor.HttpContext.Response.Cookies.Append("sid", "0920770230c103809305605a", options);

Under normal circumstances, the above code can complete the writing of cookies, CookieOptions also supports some other configurations, which can be set according to the actual situation. However, it should be noted that in. NET Core 2.2 and. NET Core 3.1, the default value of the SameSite attribute of cookies is not the same, and upgrades need to be noted.

2.2 The default value in is SameSiteMode.Lax

3.1 The default value in is changed to SameSiteMode.Unspecified (meaning that the SameSite attribute value is not written and the browser default Cookie policy is inherited)

How to solve SameSite problem in IFrame

In the ASP.NET Core set-cookie based case, if you want the current domain to be used by IFrames of other domains, the most basic requirement is that the site must be based on HTTPS protocol, and then modify the code to set the SameSite property value to None and Secure to true.

var options = new CookieOptions

{

SameSite = SameSiteMode.None,

Secure = true

};

"ASP.NET Core Cookie SameSite" content is introduced here, thank you for reading. If you want to know more about industry-related knowledge, you can pay attention to the website. Xiaobian will output more high-quality practical articles for everyone!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.