Handle SameSite cookie changes in Chrome browser

What is SameSite?

SameSite is a property that can be set in HTTP cookies to prevent Cross Site Request Forgery(CSRF) attacks in web applications:

  • When SameSite is set to Lax, the cookie is sent in requests within the same site and in GET requests from other sites. It isn't sent in GET requests that are cross-domain.
  • A value of Strict ensures that the cookie is sent in requests only within the same site.

By default, the SameSite value is NOT set in browsers and that's why there are no restrictions on cookies being sent in requests. An application would need to opt-in to the CSRF protection by setting Lax or Strict per their requirements.

SameSite changes and impact on authentication

Recent updates to the standards on SameSite propose protecting apps by making the default behavior of SameSite when no value is set to Lax. This mitigation means cookies will be restricted on HTTP requests except GET made from other sites. Additionally, a value of None is introduced to remove restrictions on cookies being sent. These updates will soon be released in an upcoming version of the Chrome browser.

When web apps authenticate with the Microsoft Identity platform using the response mode "form_post", the login server responds to the application using an HTTP POST to send the tokens or auth code. Because this request is a cross-domain request (from login.microsoftonline.com to your domain - for instance https://contoso.com/auth), cookies that were set by your app now fall under the new rules in Chrome. The cookies that need to be used in cross-site scenarios are cookies that hold the state and nonce values, that are also sent in the login request. There are other cookies dropped by Azure AD to hold the session.

If you don't update your web apps, this new behavior will result in authentication failures.

Mitigation and samples

To overcome the authentication failures, web apps authenticating with the Microsoft identity platform can set the SameSite property to None for cookies that are used in cross-domain scenarios when running on the Chrome browser. Other browsers (see here for a complete list) follow the previous behavior of SameSite and won't include the cookies if SameSite=None is set. That's why, to support authentication on multiple browsers web apps will have to set the SameSite value to None only on Chrome and leave the value empty on other browsers.

This approach is demonstrated in our code samples below.

The table below presents the pull requests that worked around the SameSite changes in our ASP.NET and ASP.NET Core samples.

Sample Pull request
ASP.NET Core web app incremental tutorial Same site cookie fix #261
ASP.NET MVC web app sample Same site cookie fix #35
active-directory-dotnet-admin-restricted-scopes-v2 Same site cookie fix #28

for details on how to handle SameSite cookies in ASP.NET and ASP.NET Core, see also:

Next steps

Learn more about SameSite and the Web app scenario: