Pete Freitag Pete Freitag

SameSite Cookies with IIS

coldfusionjavaweb

SameSite cookies are a great technique for mitigating Cross Site Request Forgery attacks. The only downside is that not all browsers support them yet (ahem... looking at you IE).

Another downside you may find is that most application server software does not support them yet, for example javax.servlet.http.Cookie does not yet have support (so languages like CFML are probably waiting for this to add as well), PHP has a RFC and hopes to add them in 7.3, ASP.NET Core has added them to 2.0 and .NET Framework 4.7.2.

If your current platform doesn't support them yet but you want to use them, then you can use the web server to append the SameSite attribute to the Set-Cooke http response header.

Here's how you can do it in IIS using the IIS URL Rewrite Module:

  1. Install Microsoft URL Rewrite for IIS: http://www.iis.net/downloads/microsoft/url-rewrite
  2. Close IIS, and open it again.
  3. Click On the root server level node of IIS (so that this is applicable to all sites on your server),
  4. Double Click on the URL Rewrite icon
  5. Click on Add Rule(s)
  6. Under Outbound Rules select Blank Rule
  7. Give it an arbitrary name, eg AddSameSiteCookieFlag
  8. Under Match, select Matching Scope: Server Variable
  9. For Variable name use: RESPONSE_Set-Cookie
  10. Variable Value: Matches Pattern
  11. Using: Regular Expressions
  12. Pattern: ^(.*)(CFID|CFTOKEN|JSESSIONID)(=.*)$ (that only applies to cookies named CFIDE CFTOKEN or JSESSIONID, modify as needed)
  13. Under Action, Action Type: Rewrite
  14. Action Properties: Value: {R:0};SameSite=lax (if you existing cookie has a trailing semi-colin you can remove it here, you may also consider using Strict instead of Lax).
  15. Check Replace existing server variable
samesite cookies in iis

Or here's how you can add it to a single site using web.config files:

<rewrite>
            <outboundRules>
                <rule name="AddSameSiteCookieFlag">
                    <match serverVariable="RESPONSE_Set-Cookie" pattern="^(.*)(CFID|CFTOKEN|JSESSIONID)(=.*)$" />
                    <action type="Rewrite" value="{R:0};SameSite=lax" />
                </rule>
            </outboundRules>
</rewrite>

Like this? Follow me ↯

SameSite Cookies with IIS was first published on May 14, 2018.

If you like reading about iis, cookies, samesite, or security then you might also like:

FuseGuard Web App Firewall for ColdFusion

The FuseGuard Web Application Firewall for ColdFusion & CFML is a high performance, customizable engine that blocks various attacks against your ColdFusion applications.

Comments

Great stuff, Pete. Thanks.

And in case anyone misses it in the related posts links above, note that he covered apache in a later post:

https://www.petefreitag.com/item/894.cfm

And before someone asks, support is due to be added to cf (2018 and 2016) in a coming update (yes, frustratingly late). But this should help folks until then, and also those on earlier CF versions.
by Charlie Arehart on 03/11/2020 at 10:06:02 AM UTC
Coldfusion 2018 published an update - ColdFusion 2018 Update 9 build 318650

Does this still apply?
by Vlad on 04/22/2020 at 10:40:02 AM UTC
Great little fix - SOlved issues I was having trying to embed our finance app inside an iFrame - Thanks Pete
by Martin Parry on 08/03/2020 at 1:36:22 AM UTC
Thank you very much for this article. Saved me in time critical situation, supporting an older .net version in production environment.
by Chandra on 08/07/2020 at 8:14:42 PM UTC
Thanks, worked like a charm.
by Akash Bavlecha on 09/01/2020 at 6:32:15 AM UTC

Post a Comment