Overview
Chrome released a stable version of Chrome version 80 on February 4th, 2020. This version introduces a new restriction where the browser removes the use of cookies with the SameSite=None attribute but without the Secure attribute. Any cookie that requests SameSite=None but is not marked Secure will be rejected.
Prerequisites
- Read/Write access to the site's root folder to make changes to the web.config file.
- You will need to upgrade the .NET framework version to at least 4.7.2 to be able to apply this solution.
- Access to a SuperUser account.
Solution
To make the DNN and HTTP cookies fully secure and have a SameSite attribute defined in them, you must open your web.config file in the root directory to find and append the following text shown in bold:
- To secure the .DOTNETNUKE cookie:
<authentication mode="Forms">
<forms name=".DOTNETNUKE" protection="All" timeout="60" cookieless="UseCookies" requireSSL="true" cookieSameSite="None" />
</authentication>
- To secure the other HTTP cookies:
<httpCookies httpOnlyCookies="true" requireSSL="true" domain="" sameSite="None" />
After setting the above, your .DOTNETNUKE cookie and the other HTTP Cookies should be set as Secure.
- As for the ASPXANONYMOUS cookie, you should be able to secure this cookie by changing the following in your web.config in bold:
<anonymousIdentification enabled="true" cookieName=".ASPXANONYMOUS" cookieTimeout="100000" cookiePath="/" cookieRequireSSL="true" cookieSlidingExpiration="true" cookieProtection="All" domain="" />.
Note: If you mistakenly edited this file from the Persona Bar instead of the root directory, you will see the following warning message:
You can select Yes and this will still resolve the issue.
Testing
You can test that the cookie has been modified by:
- Press F12 from your browser and go to Application > Cookies
- Check the SameSite column for your SameSite Cookie setting.
Priyanka Bhotika
Comments