在 "URL" 处设置了与跨站点资源关联的 cookie,但未设置“SameSite”属性
A cookie associated with a cross-site resource at "URL" was set without the `SameSite` attribute
在 Google Chrome 控制台中,我收到此警告 "A cookie associated with a cross-site resource at "URL" was set without the SameSite attribute"。它已被阻止,因为 Chrome 现在仅在使用 SameSite=None 和 Secure 设置的跨站点请求时传送 cookie。
我在 Application>Storage>Cookies 下验证了相同的内容,我发现 Same Site 是 "blank/Empty",我想将其更新为 "None".
尝试了其他开发人员提到的一些方法,但似乎对我没有任何作用。
实施 1:使用下面提到的代码
更新了我的 web.config
<sessionState cookieSameSite="None" />
<httpCookies httpOnlyCookies="true" requireSSL="true" />
// sameSite="None" 不在 httpCookies 部分为我服务,并给我一条错误消息 sameSite attribute is not allowed
实施 2:修改 class 我创建 Cookie 的文件代码
HttpCookie sessionCookie = new HttpCookie("Token");
sessionCookie.Value = sessionToken;
sessionCookie.HttpOnly = true;
sessionCookie.SameSite = SameSiteMode.None;
sessionCookie.Secure = FormsAuthentication.RequireSSL && Request.IsSecureConnection;
sessionCookie.Domain = Request.Url.Host;
Response.Cookies.Add(sessionCookie);
实施 3:创建了一个单独的 MVC 过滤器来处理这个问题
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
var response = filterContext.RequestContext.HttpContext.Response;
if (response != null)
{
response.AddHeader("Set-Cookie", "HttpOnly;Secure;SameSite=None");
}
base.OnActionExecuting(filterContext);
}
实施 4:
<rewrite>
<outboundRules>
<rule name="Add SameSite" preCondition="No SameSite">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; SameSite=None" />
<conditions>
</conditions>
</rule>
<preConditions>
<preCondition name="No SameSite">
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=" negate="true" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
目标 .net Framework 4.7.2
我需要在我的本地机器或服务器上做些什么,或者我是否可以通过它来删除此警告消息。
来自 OWASP cheatsheet for setting same site cookies to mitigate CSRF, when setting the same site attribute to none we have to set the secure flag on the cookie as well. This can be done by referring to this question
All desktop browsers and almost all mobile browsers now support the SameSite attribute. To keep track of the browsers implementing it and the usage of the attribute, refer to the following service. Note that Chrome has announced that they will mark cookies as SameSite=Lax by default from Chrome 80 (due in February 2020), and Firefox and Edge are both planning to follow suit. Additionally, the Secure flag will be required for cookies that are marked as SameSite=None.
适合我
<configuration>
<system.web>
<httpCookies sameSite="None" requireSSL="true" />
</system.web>
</configuration>
在 Google Chrome 控制台中,我收到此警告 "A cookie associated with a cross-site resource at "URL" was set without the SameSite attribute"。它已被阻止,因为 Chrome 现在仅在使用 SameSite=None 和 Secure 设置的跨站点请求时传送 cookie。
我在 Application>Storage>Cookies 下验证了相同的内容,我发现 Same Site 是 "blank/Empty",我想将其更新为 "None".
尝试了其他开发人员提到的一些方法,但似乎对我没有任何作用。
实施 1:使用下面提到的代码
更新了我的 web.config<sessionState cookieSameSite="None" />
<httpCookies httpOnlyCookies="true" requireSSL="true" />
// sameSite="None" 不在 httpCookies 部分为我服务,并给我一条错误消息 sameSite attribute is not allowed
实施 2:修改 class 我创建 Cookie 的文件代码
HttpCookie sessionCookie = new HttpCookie("Token");
sessionCookie.Value = sessionToken;
sessionCookie.HttpOnly = true;
sessionCookie.SameSite = SameSiteMode.None;
sessionCookie.Secure = FormsAuthentication.RequireSSL && Request.IsSecureConnection;
sessionCookie.Domain = Request.Url.Host;
Response.Cookies.Add(sessionCookie);
实施 3:创建了一个单独的 MVC 过滤器来处理这个问题
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
var response = filterContext.RequestContext.HttpContext.Response;
if (response != null)
{
response.AddHeader("Set-Cookie", "HttpOnly;Secure;SameSite=None");
}
base.OnActionExecuting(filterContext);
}
实施 4:
<rewrite>
<outboundRules>
<rule name="Add SameSite" preCondition="No SameSite">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; SameSite=None" />
<conditions>
</conditions>
</rule>
<preConditions>
<preCondition name="No SameSite">
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=" negate="true" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
目标 .net Framework 4.7.2
我需要在我的本地机器或服务器上做些什么,或者我是否可以通过它来删除此警告消息。
来自 OWASP cheatsheet for setting same site cookies to mitigate CSRF, when setting the same site attribute to none we have to set the secure flag on the cookie as well. This can be done by referring to this question
All desktop browsers and almost all mobile browsers now support the SameSite attribute. To keep track of the browsers implementing it and the usage of the attribute, refer to the following service. Note that Chrome has announced that they will mark cookies as SameSite=Lax by default from Chrome 80 (due in February 2020), and Firefox and Edge are both planning to follow suit. Additionally, the Secure flag will be required for cookies that are marked as SameSite=None.
适合我
<configuration>
<system.web>
<httpCookies sameSite="None" requireSSL="true" />
</system.web>
</configuration>