►
From YouTube: ASP.NET Core Series: SameSite Cookie Security
Description
SameSite is an IETF draft standard designed to provide some protection against cross-site request forgery (CSRF) attacks.
In this episode, we’re joined by .NET Security Curmudgeon Barry Dorrans who will talk to us about some of the concerns around SameSite cookies and how to address them.
[01:09] - What are same site cookies?
[06:34] - What’s broken with some browsers?
[10:03] - Fixing the SameSite cookie in Visual Basic and Web Forms
[17:25] - Fixing the SameSite cookie in C# and MVC 5
[19:41] - Fixing the SameSite cookie in ASP.NET Core
Working with SameSite cookies in ASP.NET
https://aka.ms/SameSiteCookiesOnNET
Working with SameSite cookies in ASP.NET COre
https://docs.microsoft.com/aspnet/core/security/samesite?WT.mc_id=ondotnet-c9-cephilli
Upcoming SameSite Cookie Changes in ASP.NET and ASP.NET Core
https://devblogs.microsoft.com/aspnet/upcoming-samesite-cookie-changes-in-asp-net-and-asp-net-core?WT.mc_id=ondotnet-c9-cephilli
Overview of ASP.NET Core Security
https://docs.microsoft.com/en-us/aspnet/core/security?WT.mc_id=ondotnet-c9-cephilli
A
This
episode
of
our
net
brought
to
you
by
the
letter
e
and
the
number
5
you're,
not
gonna,
want
to
miss
this
episode
of
e
on
that
show
where
we
talk
about
Saints
high
cookies,
and
if
things
are
breaking
we're,
gonna
help
you
fix
it.
A
little
janitorial
work
with
Barry
Dorian's
make
sure
you
turn
in.
B
B
A
B
B
B
B
A
B
We
have
had
security
vulnerabilities
around
cross-site
request,
forgery
and
various
attempts
have
been
made
to
secure
this
type
of
login
flow
and
the
same
site
attribute
on
a
cookie
was
one
of
these,
and
so
what
the
same
site
attribute
was,
therefore,
is,
it
would
say
only
saying
this
cookie
to
the
website
that
issued
it
and
not
from
a
flow
that
has
come
from
any
other
website.
So
do
you
know
when
you
hit
login
with
Active,
Directory
or
log
in
with
Google
or
Logan
with
v
book?
It
goes
out
of
your
website
to
another
website.
A
B
And
so
strict
would
say,
don't
send
it
unless
it's
a
request,
that's
only
come
from
within
my
site
lacks
would
say
you
can
send
it
if
it's
a
safe
request.
That's
come
from
another
site,
a
get
request,
rather
than
a
post
request,
certain
things
from
work
to
safe
and
then
the
other
option
was
really
none
or
I'm
not
going
to
mark
the
cookie
with
either
strict
or
lacks,
and
it
just
gets
treated
as
there's
no
security
on
it
will
let
it
flow.
B
B
B
B
This
would
all
be
well
and
good,
except
for
the
fact
that
the
original
spec
said
if
I
am
a
browser
and
I
come
across
a
value
that
I
don't
understand,
it
could
be
a
value
of
Seth.
For
example,
sorry
I'm
sorry
equals
Seth.
What
I
will
do
is
I
will
ignore
that
value
and
I
will
switch
myself
into
strict
mode.
Oh.
B
So
when
this
new
attribute
come
this
new
attribute
value
comes
in
of
none
all
the
old
browsers
switch
themselves
into
strict
mode
and
your
login
breaks,
and
so
by
all
browsers
I,
don't
mean
you
know
ie,
for
example,
because
ie
never
understood
same
site,
so
it
just
ignores
it
altogether.
I'm
talking
about
older,
browsers
on,
say
your
iPhone
or
on
your
Android
device
that
hasn't
been
updated
recently.
So
what
people
will
see
is
in
certain
types
of
external
flows.
Typically
login
flows
via
open
ID
connect
on
older
browsers.
B
It
will
suddenly
break
because
what
we
did
in
December
was.
We
pushed
a
change
that
says:
ok
if
you're
gonna
tell
asp.net
to
use
the
none
value,
we're
going
to
omit
this
new
value
because
chrome
frankly
has
a
larger
market
share.
So
we
break
less
people
by
supporting
new
versions
of
Chrome.
Then
we
do
by
sticking
to
the
older
version
and
making
you
opt
in
I.
A
B
Do
the
unfortunate
thing
being,
of
course,
this
this
fall
back
in
the
original
spec.
That
said,
if
you
don't
understand
what
the
attribute
is
turn
yourself
into
ultra
secure
mode,
so
all
the
browsers
that
don't
understand
them,
you
want,
which
was
pretty
much
everything
but
chrome
broke
right,
which
makes
people
really
unhappy
sometimes.
B
B
A
B
Learn
something
so
what
happens
with,
though
IDC
is
in
order
to
make
sure
that
it
is
a
valid
request,
and
it's
one
that
we've
triggered.
We
drop
what's
called
a
correlation
cookie.
The
correlation
cookie
has
a
value.
We
also
send
that
value
to
the
OID
C
server,
the
OID
C
server
sends
it
back
and
we
compare
it
against
our
correlation
cookie.
Only
now
we
can't
read
our
correlation
cookie,
because
the
request
has
come
from
a
remote,
oh
I,
DC
server,
I
can't
read
it
to
match
them
up
and
everything
just
falls
apart.
It's.
A
B
B
Let's,
let's
show
you
how
you
can
diagnose
this
here,
that's
in
core!
You
can
actually
see
there's
a
failure
down
here
and
this
will
appear
in
your
logs
and
it
goes
unhandled
exception
and
system
exception
correlation
failed.
You
don't
see
this
error
messaging
core
because
we
make
or
you
know,
secure
by
default.
You
don't
see
rar
error
messages,
so
this
isn't
just
limited
to
core.
This
goes
all
the
way
back.
This
is
a
problem
in
web
forms.
This
is
a
problem
in
old-style
MVC.
B
B
B
B
So
that,
on
our
Doc's
page,
we
have
a
bunch
of
pages,
but
they
include
runnable
samples,
which
is
which
is
lovely,
so
we're
going
to
start
off
with
as
old
as
we
can
go
with
this,
which
is
a
speed
up
now
at
4.7,
which
is
literally
months
ago.
It's
it's
slightly.
More
than
months
ago,
we
have
had
some
some
emails
from
people
that
say,
I
am
stuck
on.
B
A
B
B
A
B
A
B
Right
so
I
have
a
postback
I'm
gonna
write
out
some
cookies
and
inside
the
cookies.
You
can
see
that
oh
look,
Sam
site
equals
none,
mm-hmm,
I'm
gonna,
add
the
cookie
I'm,
also
gonna
just
fiddle
around
and
do
some
some
other
stuff,
but
this
is
the.
This
is
the
simple
things.
So
this
will
write
out
the
none
attribute:
okay,
yeah,
because
this
has
been
an
updated
version
of
donut
once
it
starts
I'm
going
to
click
create
cookies
and
nothing
really
has
changed.
The
way
that
you
see
this
is
you
hit
f12?
B
B
A
B
Yeah
not
great,
but
it
supports
third
party
components
and
a
bunch
of
other
stuff
and
it
works
for
us.
It
also
means
you
know
when
you
are
using
your
phone,
that
the
limit
on
the
size
of
cookies
that
can
be
issued
is
in
fact
an
awful
lot
smaller
than
our
desktops,
so
double
cookies,
especially
double
authentication,
cookies,
tended
to.
A
B
Okay,
so
here
we
have
Sam
site
support,
VB,
okay,
and
this
is
pretty
much
all
your
switch
statements
move.
So
we
have
we.
We
spent
a
lot
of
time
with
the
aad
people
and
looked
at
the
vast
majority
of
browsers
that
hit
aad
and
we
covered
the
common
scenarios
with
all
those
AED
ones
which
are
iPhones
Mac's,
older
versions
of
Chrome
and
apparently
Unreal.
Engine,
hey,
you
know,
I
know.
So
there
are
a
bunch
of
I
guess
it
must
be
Xbox
games
and
that's.
B
A
B
It
will
fix
the
majority
of
the
back
backwards
compatibility
issues.
I
am
sure
that
there
are
customers
out
there
with
very
weird
browsers
things
that
are
baked
into
hardware
devices
that
we
have
never
heard
of
so
because
we're
going
to
make
you
we're
not
shipping
this
code,
we're
making
you
put
it
into
your
project
and
compile
it
in
for
those
people
that
have
been
using
asp.net
for
years.
They
may
remember
the
browser
capital
any
file
where
we
have
a
list
of
browser
capabilities
and
every
time
we
updated
asp.net.
B
It
was
already
three
months
out
of
date
we're
not
getting
into
that
game.
We
can't
ship
this
fast
enough
to
be
useful
to
allow
you
to
customize
things
so
we've,
given
you
a
way
to
customize
it
yourself
by
just
dropping
it
into
your
project,
so
you
take
the
same
site
support
when
you
drop
it
in
and
then
there's
also
a
little
function
here.
That
does
a
bunch
of
filtering,
and
so
it
will
look
to
see
if
the
browser
supports
same
site
and.
A
A
B
One
is
now
the
indicator
that
says:
do
not
omit
the
attribute
at
all.
So
here
we
go
it's
not
too
bad.
We
check
whether
it
disallowed
Sam
site
and
if
it,
if
it
doesn't
understand
the
new
value,
we're
gonna
strip
the
Sam
site
attribute
altogether,
and
it
will
work
just
the
way
it
used
to
work.
The
final
thing
is,
then
hooking
that
up
in
an
application
begin
request.
You
just
took
hookup
the
same
site,
cookie,
buddy,
writer
filter
it
and
that's
it.
B
B
B
B
Of
okay,
so
there
is,
what's
called
a
cookie
manager
option
on
every
single
authentication
middleware.
So
here
we're
doing
cookie
authentication,
the
oh
I,
oh
I,
do
see.
Middleware
has
one
the
WS
fed
middleware
has
one
every
single
one
has
a
cookie
manager,
and
so
we
said
the
cookie
manager
to
be
a
new
same
site,
cookie
manager
and.
B
A
B
A
B
A
B
A
B
Kind
of
okay:
we
still
have
to
have
this
browser
sniffing
component,
no
matter
what
okay,
it
just
looks
slightly
different
in
asp.net
core.
So
here
we
go
asp.net
core
MVC.
Let's
look
at
this
here
we
have
our
our
sniffing
same
file,
and
this
time
it
actually
gets
a
little
bit
easier.
I
have
a
cookie
policy,
so
cookie
policies
we
put
in
originally
for
GDP
are
so
you
could
change
how
cookies
got
written
and
whether
they
were
written
or
not.
Oh.
B
B
A
A
B
Actually
got
to
add
the
enum,
so
there
is
now
an
enum
where
it,
instead
of
having
this
magic
number
of
minus
1,
Sam
site
mode
unspecified
means
don't
write,
oh
because
we
could
break
things
in
3.1
because
it
was
new.
Oh,
so
it
was
coming
out
at
the
same
time
as
Google
were
issuing
their
updates,
so
well
3-1.
So
this
is.
This
is
absolutely
horrible,
but.