From 91fb3eb41e9257ff2eb582bd9c996ebef0123570 Mon Sep 17 00:00:00 2001
From: Kiran Challa <kichalla@microsoft.com>
Date: Thu, 11 Jan 2018 16:37:46 -0800
Subject: [PATCH] Changed CookieTempDataProvider's cookie SameSite to Lax
 [Fixes #7190] Can not retrieve cookie-based TempData after Google
 authentication with account selection in Google Chrome

---
 .../CookieTempDataProviderOptions.cs                      | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/Microsoft.AspNetCore.Mvc.ViewFeatures/CookieTempDataProviderOptions.cs b/src/Microsoft.AspNetCore.Mvc.ViewFeatures/CookieTempDataProviderOptions.cs
index 138105d7c8..58ee79d044 100644
--- a/src/Microsoft.AspNetCore.Mvc.ViewFeatures/CookieTempDataProviderOptions.cs
+++ b/src/Microsoft.AspNetCore.Mvc.ViewFeatures/CookieTempDataProviderOptions.cs
@@ -16,7 +16,9 @@ namespace Microsoft.AspNetCore.Mvc
         {
             Name = CookieTempDataProvider.CookieName,
             HttpOnly = true,
-            SameSite = SameSiteMode.Strict,
+
+            // Check the comment on CookieBuilder below for more details
+            SameSite = SameSiteMode.Lax,
 
             // This cookie has been marked as non-essential because a user could use the SessionStateTempDataProvider,
             // which is more common in production scenarios. Check the comment on CookieBuilder below
@@ -36,7 +38,9 @@ namespace Microsoft.AspNetCore.Mvc
         /// Determines the settings used to create the cookie in <see cref="CookieTempDataProvider"/>.
         /// </para>
         /// <para>
-        /// <see cref="CookieBuilder.SameSite"/> defaults to <see cref="SameSiteMode.Strict"/>.
+        /// <see cref="CookieBuilder.SameSite"/> defaults to <see cref="SameSiteMode.Lax"/>. Setting this to
+        /// <see cref="SameSiteMode.Strict"/> may cause browsers to not send back the cookie to the server in an
+        /// OAuth login flow.
         /// <see cref="CookieBuilder.SecurePolicy"/> defaults to <see cref="CookieSecurePolicy.SameAsRequest" />.
         /// <see cref="CookieBuilder.HttpOnly"/> defaults to <c>true</c>.
         /// <see cref="CookieBuilder.IsEssential"/> defaults to <c>false</c>, This property is only considered when a