SameSite is a 2016 HTTP cookie extension designed to prevent Cross Site Request Forgery (CSRF). Initially, its design was an additional feature that can be used by adding a new SameSite property to cookies. It had two meanings, Lax and Strict.
When set to Lax, it means that cookies should be sent when surfing one site or via GET surfing to your site from other sites. The Strict value limited cookies to requests originating from only one site. Not setting any property does not place any restrictions on how cookies can work in requests. OpenIdConnect authentication operations (e.g. login, logout) and other functions that send POST requests from an external site to the site requesting the operation can use cookies for correlation and / or CSRF protection. These operations would have to abandon SameSite without setting the property at all to ensure that these cookies are sent during their specialized request flows.
Google is currently updating the standard and implementing the proposed changes in a future version of Chrome. The change adds a new SameSite value of “None” and changes the default behavior to “Lax”. This breaks the OpenIdConnect logins and possibly other functionality that your website might rely on. These features will need to use cookies that have their SameSite property set to “None”.
However, browsers that adhere to the original standard and are unaware of the new meaning behave differently than browsers that use the new standard. This means that your .NET website will now have to add user agent sniffing to decide whether you send the new None value or not send the attribute at all.
.NET will receive updates to change the behavior of the SameSite attribute in .NET 4.7.2 and .NET Core 2.1 and above to accommodate Google’s introduction of the new value. Updates for the .NET Framework will be available November 19 as an optional update through Microsoft Update and WSUS if you use Check for Updates. On December 10, the update will go public and will appear on Microsoft Update. .NET Core updates will be available in November with the release of .NET Core 3.1 starting in Preview 1.
OpenIdConnect middleware for Microsoft.Owin v4.1 and .NET Core will update at the same time as the .NET Framework and .NET updates, however we cannot add user agent sniffing code to the framework, it must be implemented in your site code. The agent sniffing implementation will depend on which version of ASP.NET or ASP.NET Core you are using and which browsers you want to support.