Google first announced in May last year that cookies that do not include the “SameSite=None” and “Secure” labels won’t be accessible by third parties, such as ad tech companies, in Chrome version 80 and beyond. The Secure label means cookies need to be set and read via HTTPS connections.
Right now, the Chrome SameSite cookie default is: “None,” which allows third-party cookies to track users across sites. But from February, cookies will default into “SameSite=Lax,” which means cookies are only set when the domain in the URL of the browser matches the domain of the cookie — a first-party cookie.
Any cookie with the “SameSite=None” label must also have a secure flag, meaning it will only be created and sent through requests made over HTTPs. Meanwhile, the “SameSite=Strict” designation restricts cross-site sharing altogether, even between different domains that are owned by the same publisher.
Mozilla’s Firefox and Microsoft’s Edge say they will also adopt the SameSite=Lax default.
How to solve this issue?
Make sure your browser is the latest Chrome 80.xxx
1) In Chrome address bar type in chrome://flags/
2) See Cookies without SameSite must be secure is set to the default value.
This is the cause. An existing cookie in code without SameSite value set need HTTPS to transfer. If you don't have HTTPS, it won't transfer.
Set the value to Disabled will make all current sites work as before.
It will be difficult for your site viewer to do this manual change on the Chrome browser, so you can do a global setting change in web.config to add samesite value to all cookies.
3) See https://stackoverflow.com/questions/38954821/preventing-csrf-with-the-same-site-cookie-attribute
Add below to web.config file <system.webServer> section. It will add samesite value globally and solve the problem.
<rewrite>
<outboundRules>
<rule name="Add SameSite" preCondition="No SameSite">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; SameSite=strict" />
<conditions>
</conditions>
</rule>
<preConditions>
<preCondition name="No SameSite">
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=strict" negate="true" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
Article ID: 1998, Created: March 4, 2020 at 7:08 PM, Modified: March 4, 2020 at 7:12 PM