diff --git a/xml/System.Web/HttpCookie.xml b/xml/System.Web/HttpCookie.xml index 8ac009a75a8..53d07f4f3de 100644 --- a/xml/System.Web/HttpCookie.xml +++ b/xml/System.Web/HttpCookie.xml @@ -404,8 +404,18 @@ The property extends the Gets or sets the value for the SameSite attribute of the cookie. - One of the enumeration values that represents the enforcement mode of the cookie. If the application targets the .NET Framework 4.7.2 or later versions, the default value is ; otherwise, the default value is . - To be added. + One of the enumeration values that represents the enforcement mode of the cookie or `(SameSiteMode)(-1)` (represented by the string `Unspecified` in config files). The default value depends on updates. For more information on defaults and recent updates, see Remarks. + , which does not emit the `SameSite` cookie header. This conforms to [https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-4.1](https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-4.1). + +After these updates have been applied, the default value is `(SameSiteMode)(-1)`, which corresponds to `Unspecified`. This preserves the earlier behavior. Setting `SameSiteMode.None` causes "SameSite=None" to be emitted. This new behavior conforms to [https://tools.ietf.org/html/draft-west-cookie-incrementalism-00](https://tools.ietf.org/html/draft-west-cookie-incrementalism-00). +]]> + diff --git a/xml/System.Web/SameSiteMode.xml b/xml/System.Web/SameSiteMode.xml index f571134a709..5bb6d33455c 100644 --- a/xml/System.Web/SameSiteMode.xml +++ b/xml/System.Web/SameSiteMode.xml @@ -14,7 +14,20 @@ Specifies constants that indicate the value for the SameSite attribute of the cookie. - To be added. + + was modified by updates described in [KB article 4531182](https://support.microsoft.com/help/4531182/kb4531182) and [KB article 4524421](https://support.microsoft.com/help/4524421/kb4524421). + +Without these updates, the value does not emit the `SameSite` cookie header. This conforms to [https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-4.1](https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-4.1). + +After these updates have been applied, the value emits the `SameSite=None` cookie header. This new behavior conforms to [https://tools.ietf.org/html/draft-west-cookie-incrementalism-00](https://tools.ietf.org/html/draft-west-cookie-incrementalism-00). As part of this change, FormsAuth and SessionState cookies will be issued with SameSite = `Lax` instead of the previous default of `None`, though these values can be overridden in web.config. + +On systems where these updates have been applied, you can specify the previous behavior by setting the `SameSiteMode` to `(SameSiteMode)(-1)`. You can specify this behavior using the string `Unspecified` in web.config. +]]> + @@ -54,7 +67,7 @@ 0 - No mode is specified. + The cookie will be sent with all requests (see remarks). @@ -74,7 +87,7 @@ 2 - When the value is Strict, or if the value is invalid, the cookie will only be sent along with "same-site" requests. + When the value is Strict the cookie will only be sent along with "same-site" requests.