Resolving Chrome SameSite cookie warnings and securing authentication cookies

Overview

Chrome released a stable version of Chrome version 80 on February 4th, 2020. This version introduces a new restriction where the browser removes the use of cookies with the SameSite=None attribute but without the Secure attribute. Any cookie that requests SameSite=None but is not marked Secure will be rejected. 

 

Prerequisites

  • Read/Write access to the site's root folder to make changes to the web.config file.
  • You will need to upgrade the .NET framework version to at least 4.7.2 to be able to apply this solution.
  • Access to a SuperUser account.

 

Solution

To make the DNN and HTTP cookies fully secure and have a SameSite attribute defined in them, you must open your web.config file in the root directory to find and append the following text shown in bold:

  • To secure the .DOTNETNUKE cookie:

    <authentication mode="Forms">
    <forms name=".DOTNETNUKE" protection="All" timeout="60" cookieless="UseCookies" requireSSL="true" cookieSameSite="None" />

    </authentication>
  • To secure the other HTTP cookies:

    <httpCookies httpOnlyCookies="true" requireSSL="true" domain="" sameSite="None" />

After setting the above, your .DOTNETNUKE cookie and the other HTTP Cookies should be set as Secure.

  • As for the ASPXANONYMOUS cookie, you should be able to secure this cookie by changing the following in your web.config in bold:

    <anonymousIdentification enabled="true" cookieName=".ASPXANONYMOUS" cookieTimeout="100000" cookiePath="/" cookieRequireSSL="true" cookieSlidingExpiration="true" cookieProtection="All" domain="" />.

 

Testing

You can test that the cookie has been modified by:

  1. Press F12 from your browser and go to Application > Cookies2020-06-19_1206.png
  2. Check the SameSite column for your SameSite Cookie setting.

Comments

0 comments

Please sign in to leave a comment.