SameSite Cookies with IIS

May 14, 2018

SameSite cookies are a great technique for mitigating Cross Site Request Forgery attacks. The only downside is that not all browsers support them yet (ahem... looking at you IE).

Another downside you may find is that most application server software does not support them yet, for example javax.servlet.http.Cookie does not yet have support (so languages like CFML are probably waiting for this to add as well), PHP has a RFC and hopes to add them in 7.3, ASP.NET Core has added them to 2.0 and .NET Framework 4.7.2.

If your current platform doesn't support them yet but you want to use them, then you can use the web server to append the SameSite attribute to the Set-Cooke http response header.

Here's how you can do it in IIS using the IIS URL Rewrite Module:

  1. Install Microsoft URL Rewrite for IIS:
  2. Close IIS, and open it again.
  3. Click On the root server level node of IIS (so that this is applicable to all sites on your server),
  4. Double Click on the URL Rewrite icon
  5. Click on Add Rule(s)
  6. Under Outbound Rules select Blank Rule
  7. Give it an arbitrary name, eg AddSameSiteCookieFlag
  8. Under Match, select Matching Scope: Server Variable
  9. For Variable name use: RESPONSE_Set-Cookie
  10. Variable Value: Matches Pattern
  11. Using: Regular Expressions
  12. Pattern: ^(.*)(CFID|CFTOKEN|JSESSIONID)(=.*)$ (that only applies to cookies named CFIDE CFTOKEN or JSESSIONID, modify as needed)
  13. Under Action, Action Type: Rewrite
  14. Action Properties: Value: {R:0};SameSite=lax (if you existing cookie has a trailing semi-colin you can remove it here, you may also consider using Strict instead of Lax).
  15. Check Replace existing server variable
samesite cookies in iis

Or here's how you can add it to a single site using web.config files:

                <rule name="AddSameSiteCookieFlag">
                    <match serverVariable="RESPONSE_Set-Cookie" pattern="^(.*)(CFID|CFTOKEN|JSESSIONID)(=.*)$" />
                    <action type="Rewrite" value="{R:0};SameSite=lax" />

Like this? Follow me ↯

You might also like:

This entry was:


Great stuff, Pete. Thanks. And in case anyone misses it in the related posts links above, note that he covered apache in a later post: And before someone asks, support is due to be added to cf (2018 and 2016) in a coming update (yes, frustratingly late). But this should help folks until then, and also those on earlier CF versions.

Post a Comment


Foundeo Inc.