locked
Problem with Session in iFrame after recent windows update RRS feed

  • Question

  • User307666270 posted

    Hello All,

    One of our client wants to use our web forms application in their website inside the iframe to Login and order the goods.

    So I have added P3P headers to support third party content. CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" 

    It was working until yesterday and stopped working after recent .net framework update. User logs in and the session is lost when redirected to another page. Below are the details of the update

    2019-11 Preview of Quality Rollup for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows 8.1 and Server 2012 R2 for x64 (KB4524743)

    More information:
    http://support.microsoft.com/kb/4524743

    Any help is much appreciated.

    Wednesday, November 27, 2019 6:16 AM

Answers

  • User307666270 posted

    Hi,

    Found the fix. As mentioned in the below page. 

    https://support.microsoft.com/en-us/help/4524420/kb4524420

    Microsoft ASP.NET will now emit a SameSite cookie header when HttpCookie.SameSite value is "None" to accommodate upcoming changes to SameSite cookie handling in Chrome. As part of this change, FormsAuth and SessionState cookies will also be issued with SameSite = 'Lax' instead of the previous default of 'None', though these values can be overridden in web.config.

    You have to set the cookieSameSite= "None" in the session state tag to avoid this issue. I have tried this and working well.

    <sessionState cookieSameSite="None"  cookieless="false" timeout="360">
    </sessionState>

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, December 18, 2019 1:09 PM

All replies

  • User-1233667538 posted

    Hi Albert,

    We've seen this same problem affect one of our clients. Very similar to your description: ASP.NET WebForms, VB.NET and using iFrames to handle a SagePay payment with 3D secure.

    We found that since installing this Windows Update, we've had SOME callbacks from SagePay (within the iFrame) creating new sessions, despite the cookie being provided with the correct session ID.

    We've had to issue a hurried fix that inspects the session, and reacts accordingly if a new session has been created. But it's caused us and our client significant issues.

    We're still investigating, but whether users are affected is definitely dependent on their browser version.

    Wednesday, November 27, 2019 11:45 PM
  • User-749750143 posted

    olitee

    Did you get any further with this?

    Experiencing the same problem with SagePay 3Dsecure redirects since a recent Windows update.

    Wednesday, December 18, 2019 11:43 AM
  • User307666270 posted

    Hi,

    Found the fix. As mentioned in the below page. 

    https://support.microsoft.com/en-us/help/4524420/kb4524420

    Microsoft ASP.NET will now emit a SameSite cookie header when HttpCookie.SameSite value is "None" to accommodate upcoming changes to SameSite cookie handling in Chrome. As part of this change, FormsAuth and SessionState cookies will also be issued with SameSite = 'Lax' instead of the previous default of 'None', though these values can be overridden in web.config.

    You have to set the cookieSameSite= "None" in the session state tag to avoid this issue. I have tried this and working well.

    <sessionState cookieSameSite="None"  cookieless="false" timeout="360">
    </sessionState>

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, December 18, 2019 1:09 PM
  • User-749750143 posted

    alvbertpraveen

    I confirm it works.

    This has caused unbelievable grief, thanks a million for finding that.

    Thursday, December 19, 2019 3:43 PM
  • User2002782199 posted

    Confirming this worked as well.

    Thursday, December 26, 2019 9:13 PM
  • User1267756744 posted

    Hi, 

    This solution works for me but session log out is not working on any other browser than IE. Could you please help. Thanks. 

    Thursday, January 2, 2020 12:00 PM
  • User1526507379 posted

    I had this issue while accessing site from cordova application. This solutions works. Thanks!

    Tuesday, January 7, 2020 11:12 AM