FYI, we have a fix for this in latest Version 5.8.0 - November 17, 2020:
Added: GleamTechWebConfiguration.CookieSameSiteFixEnabled property which can be used to fix session issues when
you are using DocumentViewer in an iframe with a cross-domain URL (default value is false).
If you open DocumentViewer in an iframe with a cross-domain URL, recent browsers will not allow the session cookie to be set
inside iframe due to default security settings (could be overridden in your browser) and the component will fail to find the existing session from the server.
When enabled, by default SameSiteMode.None will be used for the cookies.
Note that Chrome 80+ allows SameSiteMode.None only if the cookie is also marked Secure and we will mark it Secure when the request is secure (HTTPS).
So even with this fix if your cross-domain URL is not HTTPS, Chrome 80+ still does not allow the cookie in cross domain iframe (with default browser settings).
Fix works on IE and Firefox even if your cross-domain URL is not HTTPS.
Also, the fix can only work when your application is running on ASP.NET 4.7.2+ runtime (not target framework but deployment machine runtime)
or ASP.NET Core runtime.
Note that this is not an issue specific to our product. All application that depend on session cookies or other cookies and that use iframes are broken due to Chrome changing cookie policies. However we provide the fix as a comfortable workaround.
So if you are opening FileManager or DocumentViewer with a cross domain URL in an iframe like this (cross domain meaning the domain in iframe is different than the domain in parent):
Then you can turn turn on this fix:
- For ASP.NET Classic, in Web.config (works only if running on ASP.NET 4.7.2+ runtime because HttpCookie.SameSite property is only available starting with that version):
<add key="GleamTechWeb:CookieSameSiteFixEnabled" value="true"/>
- For ASP.NET Core, in appsettings.json:
- or from code, in global.asax.cs or Startup.cs:
GleamTech.AspNet.GleamTechWebConfiguration.Current.CookieSameSiteFixEnabled = true;
- Chrome 80+ requires "SameSite=None; Secure" for the session cookie so even if you turn on the fix, you will need to use a HTTPS URL (SSL) in your iframe, otherwise Chrome 80+ still does not allow session in iframe (note that new Edge is also Chrome based so same will apply):
- Other browsers such as IE and Firefox require "SameSite=None" (for now, probably they will follow Chrome in future) so when you turn on the fix, it should work even if you use HTTP URL (no SSL)
Alternative solution for ASP.NET Classic users:
Edit Web.config and add this setting:
<sessionState mode="InProc" cookieless="true" />
So you can turn on “cookieles” mode for the session state module, this means it will store the session ID in URL (automatically in the background) and you will not deal with cookies. Unfortunately, a similar option does not exist in ASP.NET Core.