Serving Cookies where front and back end different domains

markholdt · January 24, 2020, 7:03am

I am getting the following message in Chrome:
“A cookie associated with a cross-site resource at https://api.domain1.com/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure.”

My set up is as follows
The API is hosted on a different domain than the VueJS client.

Here is the config on the ServiceStack side:

public override void Configure(Container container)
{

            SetConfig(new HostConfig
            {
              
                UseSameSiteCookies = false,
                UseSecureCookies = true,
                DebugMode = AppSettings.Get("DebugMode", false),
         
                UseCamelCase = true
            });
}

Please let me know how I can serve SameSite=None and Secure cookies?

Many thanks for a great product.
Mark

markholdt · January 24, 2020, 7:13am

Here is the cookie info.

ss-id cookie e.g. set to domain of API.

mythz · January 24, 2020, 3:47pm

You can configure how cookies are set in .NET Framework by overriding void HttpCookieFilter(HttpCookie cookie) in your AppHost or in .NET Core by overriding CookieOptionsFilter() in your AppHost, e.g:

public override void CookieOptionsFilter(Cookie cookie, CookieOptions cookieOptions)
{
    cookieOptions.SameSite = SameSiteMode.None;
}

I’ve also just updated this in this commit so in ASP.NET Core it automatically populates SameSite with None if UseSameSiteCookies == false which is now available from v5.8.1 on MyGet.

markholdt · January 31, 2020, 10:18am

Yip thanks. All good!