Preventing CSRF with the same-site cookie attribute

by

After Deep review on HttpCookie Source it’s confirm that we cannot do this with the code, as there is no way to add extra attribute on Cookie and class is marked as sealed.

But still anyhow I manage solution by modifying web.config as below.

<rewrite>
  <outboundRules>
    <rule name="Add SameSite" preCondition="No SameSite">
      <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
      <action type="Rewrite" value="{R:0}; SameSite=strict" />
      <conditions>
      </conditions>
    </rule>
    <preConditions>
      <preCondition name="No SameSite">
        <add input="{RESPONSE_Set_Cookie}" pattern="." />
        <add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=strict" negate="true" />
      </preCondition>
    </preConditions>
  </outboundRules>
</rewrite>

This add SameSite=strict on each Set-Cookie.

More Related Contents:

  1. ASP.NET Web API – PUT & DELETE Verbs Not Allowed – IIS 8
  2. I just discovered why all ASP.Net websites are slow, and I am trying to work out what to do about it
  3. System.Diagnostics.Process.Start not work from an IIS
  4. Access-control-allow-origin with multiple domains
  5. How do I resolve “HTTP Error 500.19 – Internal Server Error” on IIS7.0 [closed]
  6. HTTP Error 503, the service is unavailable
  7. IIS7 Cache-Control
  8. ASP.NET MVC and IE caching – manipulating response headers ineffective
  9. ASP.NET Web API OperationCanceledException when browser cancels the request
  10. ASP.NET 4.5 MVC 4 not working on Windows Server 2008 IIS 7
  11. ASP.NET Core with IIS – HTTP Verb Not Allowed
  12. How to debug w3wp clr.dll error
  13. Web Application Problems (web.config errors) HTTP 500.19 with IIS7.5 and ASP.NET v2
  14. How to set up subdomains on IIS 7
  15. how SameSite attribute added to my Asp.net_SessionID cookie automatically?
  16. Sharing cookies across different domains and different applications (classic ASP and ASP.NET)
  17. What is Kestrel (vs IIS / Express)
  18. “Retrieving the COM class factory for component…. error: 80070005 Access is denied.” (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
  19. What are the pros and cons of running IIS as 32bit vs 64bit on a 64bit OS?
  20. How to deploy ASP.NET MVC 4 application using localDB to local IIS on Windows 7?
  21. ASP.NET site sometimes freezing up and/or showing odd text at top of the page while loading, on load balanced servers
  22. “The page you are requesting cannot be served because of the extension configuration.” error message
  23. What does ‘IISReset’ do?
  24. set cookie to expire at end of session? asp.net
  25. SignalR and Browser Connection limit
  26. Diagnosing 404 errors on IIS 7 and ASP.NET MVC
  27. “StartTag: invalid element name” in default.aspx
  28. Too many cookies OpenIdConnect.nonce cause error page “Bad Request – Request Too Long”
  29. Web authentication state – Session vs Cookie?
  30. Is it possible to recycle IIS application pools without losing user sessions?

Leave a Comment