.net Samesite cookie和Owin
为了与Chrome80版本兼容,我们已经为OWIN应用程序实现了相同的站点cookie 我们有:.net Samesite cookie和Owin,.net,google-chrome,owin,samesite,.net,Google Chrome,Owin,Samesite,为了与Chrome80版本兼容,我们已经为OWIN应用程序实现了相同的站点cookie 我们有: 将owin升级到4.1 将.net框架定向到.net 4.7.2 它在ChromeV80测试版中运行良好。但是,在严格模式下(.\chrome.exe--enable features=SamesiteDefaultChecksMethodrigory)。它给出了以下错误: Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectP
有人遇到过这样的问题吗?可能是对这个问题的答复太晚了,但迟做总比不做要好:-) Chrome已经进行了更新和更改,以减少跨站点请求伪造(CSRF),出于安全原因,这些更改将逐步在所有浏览器上实施。 [https://blog.chromium.org/2020/05/resuming-samesite-cookie-changes-in-july.html] 下面的补丁对我有用
<!-- Add "SameSite=None" to any cookie which does NOT have it yet -->
<!-- currently this only works for secure https cookies -->
<rule name="Add SameSite">
<conditions>
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=None" negate="true" />
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
</conditions>
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; SameSite=None" />
</rule>
<!-Add "Secure" to any cookie which does NOT have it yet, as long as it's HTTPS request or else a secure cookie would just be ignored->
<rule name="Add Secure">
<conditions>
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; Secure" negate="true" />
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
</conditions>
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; Secure" />
</rule>
<!--If samesite was set to none by cookieSameSite="None",
remove it for non-https requests (currently only works for https)-->
<rule name="No SameSite For HTTP">
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<match serverVariable="RESPONSE_Set_Cookie" pattern="(.);(\s)SameSite=None" />
<action type="Rewrite" value="{R:1}" />
</rule>
</outboundRules>
</rewrite>