Azure App Service—SameSite cookie handling and .NET Framework 4.7.2 patch
Published date: 18 January, 2020
As part of the January 2020 update to Azure App Service, .NET Framework patches that update how .NET framework apps handle the SameSite cookie property are being installed. The service is also deploying an App Service compatibility behavior that applies to all applications running on App Service for scenarios where a cookie has set the SameSite property to "None".
.NET Core versions on the App Service platform already contain updates for SameSite cookie handling and aren’t changing as part of the January 2020 service update.
The Azure App Service payload is deploying throughout January 2020, with an estimated completion date of the end of January 2020 across the public Azure cloud, all App Service environments, and national clouds. See the latest information about the deployment.
Since the updates are deployed incrementally across the service, applications will start running on the newer App Service payload at different times during the deployment period. Developers can determine if applications are running on the updated App Service payload by checking the version of App Service in the SCM site. The SCM site is available in the portal from the Development Tools --> Advanced Tools option. Alternatively, developers can navigate directly to the SCM site for an application using the following URL format: https://your-sitename-here.scm.azurewebsites.net.
For Windows App Service sites, the home page of the SCM site shows the Azure App Service version. If the version is 22.214.171.124 (or later), then the associated application is running on the newly patched version of App Service.
For Linux App Service sites, clicking the Environment option in top menu of the SCM site will return a page with all of the sites’ environment variables. The resulting page will have a URL formatted like this: https://your-sitename-here.scm.azurewebsites.net/Env. The PLATFORM_VERSION environment variable shows the current App Service version. If the version is 126.96.36.199 (or later), then the associated application is running on the newly patched version of App Service.
Details on the .NET Framework Patch for SameSite
Specific details on differences in SameSite cookie handling included in the .NET Framework 4.7.2 patch are described in this article.
With the .NET Framework patch installed, the .NET Framework changes the defaults for the cookieSameSite configuration property for Session State and Forms Authentication to "Lax". The .NET Framework also automatically sends the SameSite=None cookie property on the wire when HttpCookie.SameSite has been set to a value of "None".
Read more about the forms authentication cookieSameSite default in this article.
Read more about the session state cookieSameSite default in this article.
Additional information about SameSite cookie handling with .NET Core is available in this article.
Details on Azure App Service compatibility behavior
In addition to the .NET Framework patch, Azure App Service has introduced a compatibility behavior for the scenario where an HTTP/HTTPS response includes a cookie header with a SameSite property set to a value of "None", and the requesting user agent matches a specific subset of older browsers that don’t support the newer 2019 SameSite standard and so don’t recognize the SameSite property of "None". When an older browser is detected, Azure App Service will automatically remove the SameSite=None cookie property if it’s detected in the response headers.
The net effect of the App Service compatibility behavior is that a specific subset of older browsers won’t receive an unrecognized SameSite value (which can cause older browsers to revert to SameSite=Strict behavior), while newer browsers like Chrome v80 will receive the SameSite=None cookie property.
The specific detection logic used by App Service for deciding when to remove the SameSite=None property from a response follows the pseudo-logic documented in this article.
Developers should review their applications’ usage and reliance (if any) on the SameSite cookie property, and update application logic with user agent detection and special handling as appropriate for each application’s scenario. The App Service platform’s compatibility behavior is intended only as a partial mitigation to aid developers while applications are updated to handle the 2019 SameSite behavior implemented in newer browser versions.
Developers should also review additional browser requirements when cookies include the SameSite=None property. For example, Chrome v80 will only honor SameSite=None if the cookie is also marked with the Secure attribute, and the cookie is flowing over an HTTPS connection. See more details.
The Azure App Service compatibility behavior is implemented on the App Service network edge infrastructure. The behavior is active for all sites running on App Service, regardless of the language or framework used by the site. The compatibility functionality works for sites running on both the Linux and Windows variations of App Service, for App Service Environments, and for all national cloud deployments of Azure App Service.