Azure App Service – SameSite cookie handling and .NET Framework 4.7.2 patch
Published date: 18 January, 2020
As part of the January 2020 update to Azure App Service, .NET Framework patches that update how .NET framework apps handle the SameSite cookie property are being installed. The service is also deploying an App Service compatibility behaviour that applies to all applications running on App Service for scenarios where a cookie has set the SameSite property to “None”.
.NET Core versions on the App Service platform already contain updates for SameSite cookie handling and aren’t changing as part of the January 2020 service update.
The Azure App Service payload is being deployed throughout January 2020, with an estimated completion date of the end of January 2020 across the public Azure cloud, all App Service environments and national clouds. See the latest information about the deployment.
As the updates are deployed incrementally across the service, applications will start running on the newer App Service payload at different times during the deployment period. Developers can determine whether applications are running on the updated App Service payload by checking the version of App Service in the SCM site. The SCM site is available in the portal from the Development tools --> Advanced tools option. Alternatively, developers can navigate directly to the SCM site for an application using the following URL format: https://your-sitename-here.scm.azurewebsites.net.
For Windows App Service sites, the home page of the SCM site shows the Azure App Service version. If the version is 18.104.22.168 (or later), then the associated application is running on the newly patched version of App Service.
For Linux App Service sites, clicking the Environment option in the top menu on the SCM site will return a page with all of the sites’ environment variables. The resulting page will have a URL formatted like this: https://your-sitename-here.scm.azurewebsites.net/Env. The PLATFORM_VERSION environment variable shows the current App Service version. If the version is 22.214.171.124 (or later), then the associated application is running on the newly patched version of App Service.
Details on the .NET Framework Patch for SameSite
Specific details on differences in SameSite cookie handling included in the .NET Framework 4.7.2 patch are described in this article.
With the .NET Framework patch installed, the .NET Framework changes the defaults for the cookieSameSite configuration property for Session State and Forms Authentication to “Lax”. The .NET Framework also automatically sends the SameSite=None cookie property on the wire when HttpCookie.SameSite has been set to a value of “None”.
Read more about the forms authentication cookieSameSite default in this article.
Read more about the session state cookieSameSite default in this article.
Additional information about SameSite cookie handling with .NET Core is available in this article.
Details on Azure App Service compatibility behaviour
In addition to the .NET Framework patch, Azure App Service has introduced a compatibility behaviour for the scenario where an HTTP/HTTPS response includes a cookie header with a SameSite property set to a value of “None”, and the requesting user agent matches a specific subset of older browsers that don’t support the newer 2019 SameSite standard and so don’t recognise the SameSite property of “None”. When an older browser is detected, Azure App Service will automatically remove the SameSite=None cookie property if it’s detected in the response headers.
The net effect of the App Service compatibility behaviour is that a specific subset of older browsers won’t receive an unrecognised SameSite value (which can cause older browsers to revert to SameSite=Strict behaviour), while newer browsers such as Chrome v80 will receive the SameSite=None cookie property.
The specific detection logic used by App Service for deciding when to remove the SameSite=None property from a response follows the pseudo-logic documented in this article.
Developers should review their applications’ usage and reliance (if any) on the SameSite cookie property, and update application logic with user agent detection and special handling as appropriate for each application’s scenario. The App Service platform’s compatibility behaviour is only intended as a partial mitigation to aid developers while applications are updated to handle the 2019 SameSite behaviour implemented in newer browser versions.
Developers should also review additional browser requirements when cookies include the SameSite=None property. For example, Chrome v80 will only honour SameSite=None if the cookie is also marked with the Secure attribute, and the cookie is flowing over an HTTPS connection. See more details.
The Azure App Service compatibility behaviour is implemented on the App Service network edge infrastructure. The behaviour is active for all sites running on App Service, regardless of the language or framework used by the site. The compatibility functionality works for sites running on both the Linux and Windows variations of App Service, for App Service Environments and for all national cloud deployments of Azure App Service.