Need to make code changes to .NET apps to support Chrome SameSite cookie changes?

I have read the announcement about Chrome’s upcoming changes to SameSiteCookie behavior and the Auth0 page here: I’m still not clear if I need to make changes to my application code for my apps to keep working. What specific actions do I need to take to fulfill these tasks?

  • Set your application to use sameSite=none if it uses response_mode=form_post when interacting with Auth0 (note that Chrome makes no exceptions, even for localhost )
  • Set your cookie as secure if its sameSite attribute equals None , otherwise it will be rejected by the browser. If you use HTTP for your Callback URLs, these will break if you use such cookies for binding the authorization request state/nonce. Therefore, you must either use HTTPS or set sameSite=lax .

I have a number of ASP.NET MVC 4.7 apps and one .NET core app. The Auth0 configuration pretty much uses the boilerplate code from the quick starts.

.NET 4.7 application Startup.cs

 // Set Cookies as the default authentication type
            app.UseCookieAuthentication(new CookieAuthenticationOptions
                AuthenticationType = CookieAuthenticationDefaults.AuthenticationType,
                LoginPath = new PathString("/Account/Login")

            // Configure Auth0 authentication
            app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
                AuthenticationType = "Auth0",
                Authority = $"https://{auth0Domain}",
                ClientId = auth0ClientId,
                ClientSecret = auth0ClientSecret,
                RedirectUri = auth0RedirectUri,
                PostLogoutRedirectUri = auth0PostLogoutRedirectUri,
                ResponseType = OpenIdConnectResponseType.CodeIdToken,
                Scope = "openid email profile id_token roles",
                TokenValidationParameters = new TokenValidationParameters
                    NameClaimType = "name",
                    RoleClaimType = "role"
                Notifications = new OpenIdConnectAuthenticationNotifications
                    RedirectToIdentityProvider = notification =>
                        if (notification.ProtocolMessage.RequestType == OpenIdConnectRequestType.Logout)
                            var logoutUri = $"https://{auth0Domain}/v2/logout?client_id={auth0ClientId}";

                            var postLogoutUri = notification.ProtocolMessage.PostLogoutRedirectUri;
                            if (!string.IsNullOrEmpty(postLogoutUri))
                                if (postLogoutUri.StartsWith("/"))
                                    //transform to absolute URI
                                    var request = notification.Request;
                                    postLogoutUri = request.Scheme + "://" + request.Host + request.PathBase + postLogoutUri;
                                logoutUri += $"&returnTo={ Uri.EscapeDataString(postLogoutUri)}";
                        return Task.FromResult(0);

.NET Core 3 application Startup.cs

 // Auth0 configuration
            services.Configure<CookiePolicyOptions>(options =>
                // This lambda determines whether user consent for non-essential cookies is needed for a given request.
                options.CheckConsentNeeded = context => true;
                options.MinimumSameSitePolicy = SameSiteMode.None; // Does this need to change?

            // Add authentication services
            services.AddAuthentication(options =>
                options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            .AddOpenIdConnect("Auth0", options =>
                ConfigureOpenIdConnectOptions(options); // Auth0 tenant settings applied here

Any clarity would be appreciated.

Good morning @ljacobsen and welcome to the Auth0 Community!

What our Engineers are recommending is to make sure your SDK (if any) is up-to-date.
We’ve already made some changes on the server side to address cookie handling. Depending on your configuration you may need to make some changes to cookie handling within your application. We have a document on this:

And some additional exposition here:

If you’re using recent versions of our SDKs cookie handling should generally be taken care of for you, but if you’re manually making HTTP calls you may need to confirm the cookie attributes. In any case there’s no substitute for functional testing–I strongly recommend enabling the new cookie behavior in Chrome for testing:

to test the effect of the new Chrome behavior on your site or cookies you manage, you can go to chrome://flags in Chrome 76+ and enable the “SameSite by default cookies” and “Cookies without SameSite must be secure” experiments

Please let me know if you have any additional questions on this front.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.