.net framework4.5下解決Chrome瀏覽器SameSite問題
阿新 • • 發佈:2020-08-20
Chrome瀏覽器在76版本開始增加了一個SameSite的標記用於防止跨站cookie問題,然而Chrome 80版本在2020 年 2 月 4 日後卻預設將SameSite屬性設定為Lex導致之前部分專案的cookie設定失敗。
雖然.net framework在4.7.2 開始支援cookie的SameSite屬性設定,但是由於很多老專案升級.net framework動作有點打,所以另尋解決方案。通過Google官方的文件發現SameSite屬性只需要跟在set-cookie值內追加響應的設定即可,所以可以在專案中自行實現一個SetCookie方法來實現設定SameSite的能力。具體的程式碼如下:
1 public static class ResponseExtend 2 { 3 public static void SetCookie(this HttpResponseBase response, string key, string value, SameSiteMode sameSite = SameSiteMode.None, bool requireSSL = false) 4 { 5 string sameSiteValue = string.Empty; 6 stringsecureValue = string.Empty; 7 switch (sameSite) 8 { 9 case SameSiteMode.Strict: 10 sameSiteValue = " SameSite=Strict;"; 11 break; 12 case SameSiteMode.Lax: 13 sameSiteValue = " SameSite=Lax;"; 14 break; 15 case SameSiteMode.None: 16 default: 17 sameSiteValue = " SameSite=None;"; 18 break; 19 } 20 if (requireSSL) 21 { 22 secureValue = " Secure"; 23 } 24 response.Headers.Add("set-cookie", string.Format($"{key}={value}; path=/;{sameSiteValue}{secureValue}")); 25 } 26 } 27 28 public enum SameSiteMode 29 { 30 Strict, 31 Lax, 32 None 33 }
這樣就簡單實現了一個Response的SetCookie擴充套件方法(當然實現較為簡單,沒有考慮其他的設定可選項,可根據後期需要更改邏輯),然後在需要的地方進行呼叫即可。
1 public ActionResult Index() 2 { 3 Response.SetCookie("test1", "test1111"); 4 Response.SetCookie("test2", "test2222"); 5 return View(); 6 }
在瀏覽器中檢視cookie時就發現沒有警告了,並且cookie的SameSite屬性正確顯示為設定的值,這裡是None。
當然SameSite的值也可以設定成其他的型別,具體參考下表
WHEN TO... | SCENARIO | ATTRIBUTE | IF YOU DO NOTHING |
---|---|---|---|
UseSameSite=Strict |
Your website offers banking services or your website needs a very secure environment | Update yourattribute toto add a layer of protection from web threats.SameSite SameSite=Strict |
Your site may be susceptible to potential web vulnerabilities and data leaks. |
UseSameSite=Lax |
You have a social community website and you offer embedded chat widgets | Update yourattribute toSameSite SameSite=Lax |
You'll be good to go. Chrome's default behavior will be. Even ifis not set, the default is stillSameSite=Lax SameSite SameSite=Lax |
UseSameSite=None |
Your website offers data analytics servicesORyour website offers retargeting, advertising and conversion tracking. | Update yourattribute toto ensure Chrome doesn't reject your third-party cookies.SameSite SameSite=None; Secure |
Your cookies will no longer work on Feb 4, 2020. |
"Speak to a representative" | You've monetized your website with third-party ad programsORyou're utilizing third-party services like Google Calendar, Cloudflare, Facebook, Twitter, Instagram, LinkedIn, Gravatar, User Tracking services, CRM, reservations plugin, anti-fraud, third-party fonts, image/video hosting and/or payments services. | Speak with the ad program company to ensure they have a plan to update their cookies. You can't update cookies on a domain you don't control. | You may see a decline in the ad revenue you receive and or business engagement. |
參考文件:
- https://blog.heroku.com/chrome-changes-samesite-cookie
- https://docs.microsoft.com/en-us/aspnet/samesite/system-web-samesite
- https://stackoverflow.com/questions/62576470/how-to-set-samesite-value-to-none-in-net-4-5-2
- https://stackoverflow.com/questions/50361460/samesite-cookie-attribute-not-being-set-using-javascript
- https://github.com/GoogleChromeLabs/samesite-examples/blob/master/javascript.md