How to use FileUltimate with a cross domain

Question asked by Alejandro Mares - 1/9/2020 at 9:57 AM

Answered

I want to use FileUltimate in a Cross Domain escenario, but I'm not sure how to do it.

On the first tough I´m using an iframe, on the client Domain, it start a refresh page like this:

Request Headers:

Response Headers:

BTW: I own both Domains

The Domains are on separate webservers.

It looks iike the iframe cross domain its not possible.... or else.

Any idea on how to deal with it?

This problem start with an update of Chrome, Firefox and InternetExplorer, with older browsers the behavior is diferent.

9 Replies

Reply to Thread

Jens Aspman Replied

1/31/2020 at 2:46 AM

Hi Alejandro Mares, did you find a solution for this. I'm experiencing the same thing.

Best regrds

Jens

Cem Alacayir Replied

1/31/2020 at 7:20 AM

Employee Post

It seems this is related to a recent .NET Framework change:

If the application targets the .NET Framework 4.7.2 or later versions, the default value is Lax; otherwise, the default value is None.

And from your response headers, I see that the cookie has "SameSite=Lax" attribute.

You can go back to previous behavior by setting this in your Web.config:

<system.web>
  <sessionState cookieSameSite="None" />
</system.web>

Cem Alacayir Replied

5/19/2020 at 4:48 PM

Employee Post

More information on this issue:

Chrome starting with version 76 treats cookies as SameSite=Lax by default if no SameSite attribute is specified.

https://www.chromestatus.com/feature/5088147346030592

And ASP.NET without below these updates, does not emit the SameSite cookie header for the None value (SameSite=None):

For .NET Framework 4.6 to 4.7.2, install KB 4524421

For .NET Framework 4.8, install KB 4531182

Before the patch a value of None meant:
- Do not emit the attribute at all.
After the patch:
- A value of None means "Emit the attribute with a value of None".
- The default SameSite value for forms authentication and session state cookies was changed from None to Lax.

After these updates, you can use this setting in Web.config and SameSite=None cookie header will be sent:

<system.web>
  <httpCookies sameSite="None" />
  <sessionState cookieSameSite="None" />
</system.web>

For more details:

https://docs.microsoft.com/en-us/aspnet/samesite/system-web-samesite

vishnani karan Replied

6/5/2020 at 10:11 AM

Hi Cem Alacayir,

My sites are hosted in the windows docker container on the Asp.NET core platform, so web.config changes are of no use to me.

If the GleamTech DocumentUltimate is creating Cookie in some method, then is there any way to change SameSite attribute in the code?

Cem Alacayir Replied

6/5/2020 at 1:04 PM

Employee Post

For ASP.NET Core, you can change default SameSite setting from Unspecified to None like this:

In Startup.cs add the highlighted code:

public void ConfigureServices(IServiceCollection services)
{
    services.Configure<CookiePolicyOptions>(options =>
    {
        options.MinimumSameSitePolicy = SameSiteMode.None;
        options.OnAppendCookie = cookieContext =>
            CheckSameSite(cookieContext.Context, cookieContext.CookieOptions);
        options.OnDeleteCookie = cookieContext =>
            CheckSameSite(cookieContext.Context, cookieContext.CookieOptions);

    });

    services.AddRazorPages();
}


public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
    }
    else
    {
        app.UseExceptionHandler("/Error");
        app.UseHsts();
    }

    app.UseHttpsRedirection();
    app.UseStaticFiles();

    app.UseRouting();

    //This should be called before calling UseAuthentication or any method that writes cookie
    app.UseCookiePolicy();
    app.UseAuthentication();
    app.UseAuthorization();

    app.UseEndpoints(endpoints =>
    {
        endpoints.MapRazorPages();
    });
}

private void CheckSameSite(HttpContext httpContext, CookieOptions options)
{
    if (options.SameSite == (SameSiteMode)(-1)) //For .NET Core 3.1+, you can use SameSiteMode.Unspecified
    {
        options.SameSite = SameSiteMode.None;
    }
}

References:

https://docs.microsoft.com/en-us/aspnet/core/security/samesite?view=aspnetcore-3.1

https://docs.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-3.1

https://devblogs.microsoft.com/aspnet/upcoming-samesite-cookie-changes-in-asp-net-and-asp-net-core/

Yash Changrani Replied

10/14/2020 at 9:42 AM

Hi Cem and Karan,

Is the cookie necessary for the document viewer, as in some browsers the third party cookies are disabled and also in incognito mode the third party cookies are disabled. This affects the end users as end users don't have much knowledge and use case of the cookies.

Is there any workaround other than storing the session Id in cookie?

Waiting for your reply on this.

Thanks,
Yash

Cem Alacayir Replied

11/17/2020 at 4:06 AM

Employee Post

FYI, we have a fix for this in latest Version 5.8.0 - November 17, 2020:

Added: GleamTechWebConfiguration.CookieSameSiteFixEnabled property which can be used to fix session issues when
you are using DocumentViewer in an iframe with a cross-domain URL (default value is false).
If you open DocumentViewer in an iframe with a cross-domain URL, recent browsers will not allow the session cookie to be set
inside iframe due to default security settings (could be overridden in your browser) and the component will fail to find the existing session from the server.
When enabled, by default SameSiteMode.None will be used for the cookies.
Note that Chrome 80+ allows SameSiteMode.None only if the cookie is also marked Secure and we will mark it Secure when the request is secure (HTTPS).
So even with this fix if your cross-domain URL is not HTTPS, Chrome 80+ still does not allow the cookie in cross domain iframe (with default browser settings).
Fix works on IE and Firefox even if your cross-domain URL is not HTTPS.
Also, the fix can only work when your application is running on ASP.NET 4.7.2+ runtime (not target framework but deployment machine runtime)
or ASP.NET Core runtime.

Note that this is not an issue specific to our product. All application that depend on session cookies or other cookies and that use iframes are broken due to Chrome changing cookie policies. However we provide the fix as a comfortable workaround.

So if you are opening FileManager or DocumentViewer with a cross domain URL in an iframe like this (cross domain meaning the domain in iframe is different than the domain in parent):

<iframe src="crossDomain.com/myFileManagerPage"></iframe>

Then you can turn turn on this fix:

For ASP.NET Classic, in Web.config (works only if running on ASP.NET 4.7.2+ runtime because HttpCookie.SameSite property is only available starting with that version):

<configuration>
  <appSettings>
    <add key="GleamTechWeb:CookieSameSiteFixEnabled" value="true"/>
  </appSettings>

For ASP.NET Core, in appsettings.json:

{
    "GleamTechWeb:CookieSameSiteFixEnabled": true
}

or from code, in global.asax.cs or Startup.cs:

GleamTech.AspNet.GleamTechWebConfiguration.Current.CookieSameSiteFixEnabled = true;

Note that

Chrome 80+ requires "SameSite=None; Secure" for the session cookie so even if you turn on the fix, you will need to use a HTTPS URL (SSL) in your iframe, otherwise Chrome 80+ still does not allow session in iframe (note that new Edge is also Chrome based so same will apply):

<iframe src="https://crossDomain.com/myFileManagerPage"></iframe>

Other browsers such as IE and Firefox require "SameSite=None" (for now, probably they will follow Chrome in future) so when you turn on the fix, it should work even if you use HTTP URL (no SSL)

Alternative solution for ASP.NET Classic users:

Edit Web.config and add this setting:

<system.web>
<sessionState mode="InProc" cookieless="true" />
</system.web>

So you can turn on “cookieles” mode for the session state module, this means it will store the session ID in URL (automatically in the background) and you will not deal with cookies. Unfortunately, a similar option does not exist in ASP.NET Core.

References:

https://itnext.io/user-agent-sniffing-only-way-to-deal-with-upcoming-samesite-cookie-changes-6f79a18e541

https://digiday.com/media/what-is-chrome-samesite/

https://medium.com/swlh/how-the-new-chrome-80-cookie-rule-samesite-none-secure-affects-web-development-c06380220ced

https://web.dev/samesite-cookies-explained/

https://redmondmag.com/articles/2020/01/28/samesite-cookie-changes-break-apps.aspx

Cem Alacayir Replied

11/23/2020 at 11:56 AM

Employee Post

FYI,

With FileUltimate v7.8.1 and DocumentUltimate v5.8.1 (November 23, 2020 updates), this issue is fixed out of the box for both ASP.NET Core and ASP.NET Classic (no settings required):

Added: Cookieless session will be used when necessary to automatically fix session issues, i.e. when the browser
does not allow cookies via browser settings or via iframe with a cross-domain URL.
The cookieless session will be established via headers, form or querystring where possible.
Added GleamTechWebConfiguration.AutoCookielessSessionEnabled property to control this feature (default value is true).
You don't need to use GleamTechWebConfiguration.CookieSameSiteFixEnabled when this property is true.
Fixed: When <sessionState cookieless="true" /> was set in Web.config, the below error was being thrown:
'Invalid method request: Method with name "" not found'

Cem Alacayir Replied

Today at 12:43 AM

Employee Post Marked As Answer

Latest info regarding cookie/session handling is compiled here:

Info: Session refresh issue with a cross domain iframe

Back to Community Threads

Please leave this box unchecked

9 Replies

Reply to Thread

Tags

Related Knowledge Base Articles