How to use FileUltimate with a cross domain
Question asked by Alejandro Mares - 1/9/2020 at 9:57 AM
Answered
I want to use FileUltimate in a Cross Domain escenario, but I'm not sure how to do it.

On the first tough I´m using an iframe, on the client Domain, it start a refresh page like this:

Request Headers:

Response Headers:
 BTW: I own both Domains 

The Domains are on separate webservers.

It looks iike the iframe cross domain its not possible.... or else.

Any idea on how to deal with it?

This problem start with an update of Chrome, Firefox and InternetExplorer, with older browsers the behavior is diferent. 

5 Replies

Reply to Thread
0
Jens Aspman Replied
Hi Alejandro Mares, did you find a solution for this. I'm experiencing the same thing.
Best regrds
Jens
0
Cem Alacayir Replied
Employee Post
It seems this is related to a recent .NET Framework change:

If the application targets the .NET Framework 4.7.2 or later versions, the default value is Lax; otherwise, the default value is None.
And from your response headers, I see that the cookie has "SameSite=Lax" attribute.

You can go back to previous behavior by setting this in your Web.config:

<system.web>
  <sessionState cookieSameSite="None" />
</system.web>

0
Cem Alacayir Replied
Employee Post
More information on this issue:

Chrome starting with version 76 treats cookies as SameSite=Lax by default if no SameSite attribute is specified.

And ASP.NET without below these updates, does not emit the SameSite cookie header for the None value (SameSite=None):
For .NET Framework 4.6 to 4.7.2, install KB 4524421
For .NET Framework 4.8, install KB 4531182

  • Before the patch a value of None meant:
    • Do not emit the attribute at all.
  • After the patch:
    • A value of None means "Emit the attribute with a value of None".
    • The default SameSite value for forms authentication and session state cookies was changed from None to Lax.
After these updates, you can use this setting in Web.config and SameSite=None cookie header will be sent:

<system.web>
  <httpCookies sameSite="None" />
  <sessionState cookieSameSite="None" />
</system.web>
For more details:

0
vishnani karan Replied

My sites are hosted in the windows docker container on the Asp.NET core platform, so web.config changes are of no use to me.
If the GleamTech DocumentUltimate is creating Cookie in some method, then is there any way to change SameSite attribute in the code?
0
Cem Alacayir Replied
Employee Post Marked As Answer
For ASP.NET Core, you can change default SameSite setting from Unspecified to None like this:

In Startup.cs add the highlighted code:

public void ConfigureServices(IServiceCollection services)
{
    services.Configure<CookiePolicyOptions>(options =>
    {
        options.MinimumSameSitePolicy = SameSiteMode.None;
        options.OnAppendCookie = cookieContext =>
            CheckSameSite(cookieContext.Context, cookieContext.CookieOptions);
        options.OnDeleteCookie = cookieContext =>
            CheckSameSite(cookieContext.Context, cookieContext.CookieOptions);

    });

    services.AddRazorPages();
}


public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
    }
    else
    {
        app.UseExceptionHandler("/Error");
        app.UseHsts();
    }

    app.UseHttpsRedirection();
    app.UseStaticFiles();

    app.UseRouting();

    //This should be called before calling UseAuthentication or any method that writes cookie
    app.UseCookiePolicy();
    app.UseAuthentication();
    app.UseAuthorization();

    app.UseEndpoints(endpoints =>
    {
        endpoints.MapRazorPages();
    });
}

private void CheckSameSite(HttpContext httpContext, CookieOptions options)
{
    if (options.SameSite == (SameSiteMode)(-1)) //For .NET Core 3.1+, you can use SameSiteMode.Unspecified
    {
        options.SameSite = SameSiteMode.None;
    }
}

References:

Reply to Thread