SameSite cookies in ASP.NET 4.0

Question

I have an application written in ASP.NET 4.0. All was working fine till google chrome introduced this samesite cookie default value to 'lex'.

There is a solution of handling samesite cookie in asp.net version 4.7.2.

https://docs.microsoft.com/en-us/aspnet/samesite/system-web-samesite

But I am unable to find any solution for version 4.0. Do I need to upgrade from 4.0 to 4.7.2 ?

Answer 1

Short answer: It seems that Yes, they are forcing us to upgrade.

Why?: "The updated standard is not backward compatible with the previous standard[...]Microsoft does not support .NET versions lower that 4.7.2 for writing the same-site cookie attribute."

Source:https://docs.microsoft.com/en-us/aspnet/samesite/system-web-samesite

Maybe this can help you: Adding Same-site; Secure to Cookies in Classic ASP

Have I made it work in my own apps?:Not reliably yet :(

Answer 2

Do I need to upgrade from 4.0 to 4.7.2 - Yes ,
Build you solution with .net target framework 4.7.2
update web.config
compilation targetFramework 4.7.2
httpRuntime targetFramework 4.7.2
update samesite option to Strict, Lax, or None as per your application requirement httpCookie.SameSite to SameSiteMode.Lax

Chrome browser SameSite cookie Update
SameSite Cookie Changes in ASP.NET and ASP.NET Core

Answer 3

This also works before 4.7.2:

Response.Headers.Add("set-cookie", "mysessioncookie=theValue; path=/; SameSite=Strict")