Skip to content

Some Cookie SameSite defaults changed to None #348

New issue
New issue
Open
Open
Some Cookie SameSite defaults changed to None#348
Labels
3.0.0Announcements related to ASP.NET Core 3.0AnnouncementBreaking changeDocumentedThe breaking change has been published to the .NET Core docs
Milestone
3.0.0-preview4
@Tratcher

Description

@Tratcher
Tratcher
opened on Mar 5, 2019

Some Cookie SameSite defaults changed to None

SameSite is an option for cookies that can help mitigate some CSRF attacks. When this option was initially introduced inconsistent defaults were used across various AspNetCore APIs that has lead to confusing results. In 3.0.0-preview4 we've better aligned these defaults and made the feature opt-in on a per-component basis.

Version introduced

3.0

Old behavior

APIs defaulted to SameSiteMode.Lax.

New behavior

APIs default to SameSiteMode.None.

Reason for change

To make SameSite an opt-in feature.

Recommended action

Each component that emits cookies need to decide if SameSite is appropriate for their scenarios. Review your usage of the affected APIs and reconfigure SameSite as needed.

Category

ASP.NET

Affected APIs

Issue metadata

  • Issue type: breaking-change

Metadata

Metadata

Assignees

No one assigned

    Labels

    3.0.0Announcements related to ASP.NET Core 3.0AnnouncementBreaking changeDocumentedThe breaking change has been published to the .NET Core docs

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions