The 'sameSite' attribute is not allowed in web.config Asp.net Web project with framework 4.8

Asked 4/8, 2020 at 12:9 Answered 4/2, 2021 at 13:58

asp.net visual-studio web-config httpcookie samesite

I been trying to add sameSite = None attribute to my project cookies as a part of Chrome standards. I am using .net framework 4.8 and it supports sameSite for cookie (https://learn.microsoft.com/en-us/aspnet/samesite/system-web-samesite#using-samesite-in-aspnet-472-and-48), but i am not able to do it from web.config Please help if anyone has faced similar problem and resolved that.

Jeanmariejeanna answered 4/8, 2020 at 12:9 Comment(2)

i think this is somehow related to windows update for 4.8 framework and Visual Studio 2019 update. Somehow this is working now by doing the update – Jeanmariejeanna 5/8, 2020 at 11:1

It's important that OP (Gaurav) pointed out that he is using 4.7.2, because the sameSite attribute in web.config <httpCookies> element is only supported in .NET versions >= 4.7.2 (as seen on their site) – Twocycle 21/10, 2020 at 15:33

This is only a warning because the attribute isn't included in Visual Studio yet. It shouldn't stop you compiling and will work in production because the latest browsers support it.

As Microsoft includes this in their official documentation I would use it as recommended and ignore the warning until an update is released with the same site parameter included.

<configuration>
 <system.web>
  <httpCookies sameSite="[Strict|Lax|None|Unspecified]" requireSSL="[true|false]" />
 <system.web>
<configuration>

As of Visual Studio Community 2022 Version 17.7.6 this is still not included.

(It might be safe to assume this will never get added to Visual Studio.)

Achromat answered 13/8, 2020 at 12:55 Comment(4)

I tried setting sameSite="Strict" in my web.config but get the "sameSite attribute is not allowed" warning/error. I then tried launching my web site but got a 500 error. I'm using ASP.NET 4.7.2 and Visual Studio 2019 16.8.3... – Mistrustful 5/1, 2021 at 18:18

@MarkS You will still get the warning in visual studio as the attribute is still not included. If you are getting error 500, are you sure it is caused by this? What is your error message? – Achromat 6/1, 2021 at 11:1

I should have mentioned that I thought this would work because Gaurav said this should work with 4.7.2 and I'm on 4.7.2. Nevertheless, I got this to work. In my web.config file, I set the httpCookies tag with sameSite="Strict" and removed it from the forms and sessionState tags. The .ASPXAUTH parameter now shows SameSite as Strict and my app functions normally. – Mistrustful 6/1, 2021 at 20:26

@MarkS Accoriding to Microsoft (See link in answer) this attribute is supported from 4.7.2 – Achromat 7/1, 2021 at 9:45

-7

chrome://flags/#same-site-by-default-cookies

Paste In Browser Url

Disable It

Now Working fine

samesite=None

Caryloncaryn answered 4/2, 2021 at 13:58 Comment(0)

Recommended topics

Hot tags