diff --git a/src/Microsoft.AspNetCore.Session/SessionMiddleware.cs b/src/Microsoft.AspNetCore.Session/SessionMiddleware.cs index a9160e4..8dda333 100644 --- a/src/Microsoft.AspNetCore.Session/SessionMiddleware.cs +++ b/src/Microsoft.AspNetCore.Session/SessionMiddleware.cs @@ -153,6 +153,7 @@ private void SetCookie() var cookieOptions = new CookieOptions { Domain = _options.CookieDomain, + SameSite = _options.SameSiteMode, HttpOnly = _options.CookieHttpOnly, Path = _options.CookiePath ?? SessionDefaults.CookiePath, }; diff --git a/src/Microsoft.AspNetCore.Session/SessionOptions.cs b/src/Microsoft.AspNetCore.Session/SessionOptions.cs index a025b60..b4f0a7a 100644 --- a/src/Microsoft.AspNetCore.Session/SessionOptions.cs +++ b/src/Microsoft.AspNetCore.Session/SessionOptions.cs @@ -36,6 +36,12 @@ public class SessionOptions /// public bool CookieHttpOnly { get; set; } = true; + /// + /// Determines if the browser should allow the cookie to be attached to same-site or cross-site requests. The + /// default is Lax, which means the cookie is allowed to be attached to same-site and safe cross-site requests. + /// + public SameSiteMode SameSiteMode { get; set; } = SameSiteMode.Lax; + /// /// Determines if the cookie should only be transmitted on HTTPS requests. ///