ServiceStack with .Net Framework SameSite Error

Yep that’s the correct API which has been deprecated & renamed in later versions.

Hi Mythz

I know this thread is one year old but I think it’s the best place where to write, the topic is exactly the same

I’m on net 4.8, selfhostedapp, SS 5.9.2

I’m using your code snippet to remove SameSite from session cookies

I know it’s not advisable, my target is to simplify frontend developers life, not production

I find the SetCookieFilter seems to work for only one cookie at a call

when browser open the app my code is called more times
when I inspect the response’s headers sent to the browser I see the ss-id cookie is set in the first call then the ss-pid cookie is set in then next call and so on

if I remove the overridden method I see the two cookies setted in the response to the first call

I simplify the code as follow, behaviour unchanged

        if (!base.SetCookieFilter(req, cookie))
            return false;

        var cookieStr = cookie.AsHeaderValue();

        req.Response.AddHeader("Set-Cookie", cookieStr);
        return false; 

I cannot figure out why this behaviour but it happens also in credentials call causing the backend session never go to authenticated

Any advice?

SetCookieFilter() gets called for each cookie that’s created, you can check which cookie it’s being called for with cookie.Name, e.g:

public override bool SetCookieFilter(IRequest req, Cookie cookie)
{
    if (cookie.Name == "...") { .. }
    return base.SetCookieFilter(req, cookie);
}

If you’re using SS v5.9.2 it should set SameSite=None if you configure it to with:

SetConfig(new HostConfig {
    UseSameSiteCookies = false,
});

I don’t understand the other behavior you’re describing that it still creates cookies, are you saying if you clear your cookies and always return false that it still creates cookies?

public override bool SetCookieFilter(IRequest req, Cookie cookie) => false;

this is the method

    public override bool SetCookieFilter(IRequest req, Cookie cookie)
    {
        var cookieStr = cookie.AsHeaderValue();
        req.Response.AddHeader("Set-Cookie", cookieStr);
        return false;
    }

then start the app, open the browser and point to http://localhost
the cookies ss-id and ss-pid are not set in the same call


then I clear the browser cache, cookies, data…
and remove the method completely and redo the same ops
now I see both cookies set in the first call

the same happens with credentials call if SetCookieFilter method is there

the issue is that credentials call is one and I expect the app sets all the cookies in the response otherwise next browser call sends some old cookies of unauthorized session

Was the ss-pid cookie sent in the Request Header? It only creates session cookies that don’t exist, there’s a good chance the permanent session id (ss-pid) already existed, whilst temporary ss-id session cookie wont for a new browser session.

Also what’s causing the redirect on the home page?

browser cache, data… all clear before each try

the redirect is ordered by the backend when the client points to the root /

you can see the redirect also in last screen where SetCookieFilter is not present and the cookies work as expected

HttpListener’s AddHeader() could be setting/overriding the header instead of adding it, try adding it to the headers collection directly:

public override bool SetCookieFilter(IRequest req, Cookie cookie)
{
    var cookieStr = cookie.AsHeaderValue();
    req.Response.Headers.Add(HttpHeaders.SetCookie, cookieStr);
    return false;
}

Also is overriding SetCookieFilter() now required when SameSite cookies is disabled?

SetConfig(new HostConfig {
    UseSameSiteCookies = false,
});

I would completly remove SameSite attribute from cookie

setting UseSameSiteCookies = false SS add SameSite=None

IResponse does not expose an Headers collection, can I cast to a specific type?

You can access it from the host’s concrete HttpListenerResponse implementation:

((HttpListenerResponse)req.Response.OriginalResponse).Headers.Add(...);

I atempted

req.Response.RemoveHeader(HttpHeaders.SetCookie);
req.Response.AddHeader(HttpHeaders.SetCookie, cookieStr);

the solution is

((HttpListenerResponse)req.Response.OriginalResponse).Headers.Add(…);

now it works like expected

thank you very much

1 Like