Description
Recently installed .NET 4.8 but kept our ASP.NET web application targeting 4.5.2. Older client devices started failing because the ASPXAUTH cookie started being sent with SameSite set to Lax where before it was not present.
Initially mitigated by setting this to None via web.config, even though this isn't officially supported in 4.5.2 (web.config gives a squiggle), which caused SameSite not to be sent again.
After finding more documentation, instead installed patches and set to Unspecified - otherwise those patches when scheduled would have caused SameSite to start being sent as None and likely caused the issue again.
Should this not be listed as a runtime change for this (and similar) runtime transitions? Similarly should it or the retargeting pages not list something for session state cookies?
Or is there some other document we should also be referring to when we make upgrades?
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 4d22079f-3cac-8792-c364-c3d97ba29273
- Version Independent ID: ebf3d473-4dae-502a-3e61-09fb00fa272e
- Content: Runtime Changes for Migration from .NET Framework 4.5.2 to 4.8 - .NET Framework
- Content Source: docs/framework/migration-guide/runtime/4.5.2-4.8.md
- Product: dotnet-framework
- Technology: dotnet-appcompat
- GitHub Login: @chlowell
- Microsoft Alias: gewarren