问题
We're using Classic ASP to construct our cookies via Response.Cookies( "CookieName" ). How would we go about setting "SameSite" to none?
回答1:
Try this (you need the URLRewrite module installed). You also need to be using the https protocol (SameSite only works if Secure is also included, and you can't include Secure without using the https protocol). HttpOnly should always be used too, but if you have some JavaScript code on your site that needs to read cookies, HttpOnly will prevent that.
You also might need to add "HTTP_COOKIE" to the "allowed server variables" in IIS under URLRewrite. But I think that's just for reading incoming cookies.
EDIT: Tried and tested, works perfectly.
Note: If you're already using Response.Cookies("CookieName").Secure = True, it will add Secure to the response header value twice (unless you remove Secure from the action rewrite value), being included twice shouldn't be an issue, but some browsers can be fussy with stuff like that, especially Chrome as Google continues to role out more and more updates with stricter cookies rules.
The httpProtocol > customHeaders section is completely optional, but it will add more security to your site.
web.config
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<outboundRules>
<rule name="SameSite rewrite">
<match serverVariable="RESPONSE_Set_Cookie" pattern="(.*)=(.*)" negate="false" />
<action type="Rewrite" value="{R:1}={R:2}; SameSite=None; HttpOnly; Secure" />
</rule>
</outboundRules>
</rewrite>
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
<add name="X-Content-Type-Options" value="nosniff" />
<add name="X-XSS-Protection" value="1; mode=block" />
<add name="Referrer-Policy" value="strict-origin" />
<add name="Strict-Transport-Security" value="max-age=31536000" />
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>
来源:https://stackoverflow.com/questions/63446339/classic-asp-use-of-samesite-on-cookies