As browsers start to phase out 3rd party cookies developers need to start using the partitioned
cookie attribute (this is a new feature of Cookies Having Independent Partitioned State CHIPS). This will allow users to login when accessing your site in an iframe whiles maintaining privacy. While blocking 3rd party cookies is not yet set as the default, all the major browsers are planning to do this. Also to support users using Chrome in incognito mode you need to be ready to support this, otherwise you will be prevented from setting a cookie.
The partitioned attribute is supported in Chrome 114 and higher, it is also supported by Edge. How it works is well explained at https://developer.chrome.com/docs/privacy-sandbox/chips/ - essentially the cookie is partitioned according to the parent top level site. (See diagram below).
To configure this you need to set the cookie header:
Set-Cookie: __Host-name=value; Secure; Path=/; SameSite=None; Partitioned;
C# does not yet have an option to appended this Partitioned
attribute, but you can just append the Partitioned
property to the Path option. For example:
Response.Cookies.Append("X-Access-Token", accessToken, new CookieOptions()
{
HttpOnly = true,
Secure = true,
SameSite = SameSiteMode.None,
Path = "/; samesite=None; Partitioned"
});
This code also includes a fix to ensure the option samesite=None
is outputted into the cookie (which is also required for 3rd party cookies).