Setting "samesite" cookie attribute to "none"

Roland · March 29, 2019, 10:06am

I have an Angular Dart application using JSONWebClient and a .NET Core selfhosted ServiceStack server.

In a CORS scenario the server needs to set the samesite cookie attribute to “none” as the .NET Core framework defaults this attribute to “samesite=lax” which results in session cookies being rejected by the browser.

The only way I found to access this attribute was to implement CookieOptionsFilter method like:

public override void CookieOptionsFilter(Cookie cookie, CookieOptions cookieOptions)
{
    cookieOptions.SameSite = SameSiteMode.None;
    base.CookieOptionsFilter(cookie, cookieOptions);
}

I can do the override in a simple test server using .NET Core 2.1 selfhosted ServiceStack console app on my local Windows machine using VS2017.

However, the guy working on the server told me, that the override is not being recognized in his dev environment (JetBrains Raider on Linux / .NET Core 2.1 selfhosted ServiceStack console app).

Is this how it’s meant to be done or is there a (better?) way implementing this with response filters?

mythz · March 29, 2019, 3:59pm

Using the new Cookie Filter options in v5.5 is the way to do it.

He’s probably using an older version of ServiceStack that doesn’t have it, tell them to upgrade to the latest v5.5 release.