Chrome瀏覽器在76版本開始增加了一個SameSite的標記用於防止跨站cookie問題,然而Chrome 80版本在2020 年 2 月 4 日后卻默認將SameSite屬性設置為Lex導致之前部分項目的cookie設置失敗。
雖然.net framework在4.7.2 開始支持cookie的SameSite屬性設置,但是由於很多老項目升級.net framework動作有點打,所以另尋解決方案。通過Google官方的文檔發現SameSite屬性只需要跟在 set-cookie 值內追加響應的設置即可,所以可以在項目中自行實現一個SetCookie方法來實現設置SameSite的能力。具體的代碼如下:
1 public static class ResponseExtend 2 { 3 public static void SetCookie(this HttpResponseBase response, string key, string value, SameSiteMode sameSite = SameSiteMode.None, bool requireSSL = false) 4 { 5 string sameSiteValue = string.Empty; 6 string secureValue = string.Empty; 7 switch (sameSite) 8 { 9 case SameSiteMode.Strict: 10 sameSiteValue = " SameSite=Strict;"; 11 break; 12 case SameSiteMode.Lax: 13 sameSiteValue = " SameSite=Lax;"; 14 break; 15 case SameSiteMode.None: 16 default: 17 sameSiteValue = " SameSite=None;"; 18 break; 19 } 20 if (requireSSL) 21 { 22 secureValue = " Secure"; 23 } 24 response.Headers.Add("set-cookie", string.Format($"{key}={value}; path=/;{sameSiteValue}{secureValue}")); 25 } 26 } 27 28 public enum SameSiteMode 29 { 30 Strict, 31 Lax, 32 None 33 }
這樣就簡單實現了一個Response的SetCookie擴展方法(當然實現較為簡單,沒有考慮其他的設置可選項,可根據后期需要更改邏輯),然后在需要的地方進行調用即可。
1 public ActionResult Index() 2 { 3 Response.SetCookie("test1", "test1111"); 4 Response.SetCookie("test2", "test2222"); 5 return View(); 6 }
在瀏覽器中查看cookie時就發現沒有警告了,並且cookie的SameSite屬性正確顯示為設置的值,這里是None,需要注意的是如果SameSite設置為None的情況下requireSSL必須為true,並且站點需要使用https訪問才能在跨站時正常寫入cookie。
當然SameSite的值也可以設置成其他的類型,具體參考下表
| WHEN TO... | SCENARIO | ATTRIBUTE | IF YOU DO NOTHING |
|---|---|---|---|
Use SameSite=Strict |
Your website offers banking services or your website needs a very secure environment | Update your attribute to to add a layer of protection from web threats.SameSiteSameSite=Strict |
Your site may be susceptible to potential web vulnerabilities and data leaks. |
Use SameSite=Lax |
You have a social community website and you offer embedded chat widgets | Update your attribute to SameSiteSameSite=Lax |
You'll be good to go. Chrome's default behavior will be . Even if is not set, the default is still SameSite=LaxSameSiteSameSite=Lax |
Use SameSite=None |
Your website offers data analytics services OR your website offers retargeting, advertising and conversion tracking. | Update your attribute to to ensure Chrome doesn't reject your third-party cookies.SameSiteSameSite=None; Secure |
Your cookies will no longer work on Feb 4, 2020. |
| "Speak to a representative" | You've monetized your website with third-party ad programs OR you're utilizing third-party services like Google Calendar, Cloudflare, Facebook, Twitter, Instagram, LinkedIn, Gravatar, User Tracking services, CRM, reservations plugin, anti-fraud, third-party fonts, image/video hosting and/or payments services. | Speak with the ad program company to ensure they have a plan to update their cookies. You can't update cookies on a domain you don't control. | You may see a decline in the ad revenue you receive and or business engagement. |
參考文檔:
- https://blog.heroku.com/chrome-changes-samesite-cookie
- https://docs.microsoft.com/en-us/aspnet/samesite/system-web-samesite
- https://stackoverflow.com/questions/62576470/how-to-set-samesite-value-to-none-in-net-4-5-2
- https://stackoverflow.com/questions/50361460/samesite-cookie-attribute-not-being-set-using-javascript
- https://github.com/GoogleChromeLabs/samesite-examples/blob/master/javascript.md