Info: Session refresh issue with a cross domain iframe
Announcement made by Cem Alacayir - 11/18/2020 at 2:00 AM
Employee Post Sticky
UPDATE:

With FileUltimate v7.8.1 and DocumentUltimate v5.8.1 (November 23, 2020 updates), this issue is fixed out of the box for both ASP.NET Core and ASP.NET Classic (no settings required):

  • Added: Cookieless session will be used when necessary to automatically fix session issues, i.e. when the browser
    does not allow cookies via browser settings or via iframe with a cross-domain URL.
    The cookieless session will be established via headers, form or querystring where possible.

    Added GleamTechWebConfiguration.AutoCookielessSessionEnabled property to control this feature (default value is true).
    You don't need to use GleamTechWebConfiguration.CookieSameSiteFixEnabled when this property is true.

  • Fixed: When <sessionState cookieless="true" /> was set in Web.config, the below error was being thrown:
    'Invalid method request: Method with name "" not found'


----------------------
Note that this is not an issue specific to our product. All application that depend on session cookies or other cookies and that use iframes are broken due to Chrome changing cookie policies. However we provide the fix as a comfortable workaround.

We have a fix for this in FileUltimate v7.8.0 and DocumentUltimate v5.8.0 (November 17, 2020 updates):

  • Added: GleamTechWebConfiguration.CookieSameSiteFixEnabled property which can be used to fix session issues when
    you are using a GleamTech component in an iframe with a cross-domain URL (default value is false).

    If you open a GleamTech component in an iframe with a cross-domain URL, recent browsers will not allow the session cookie to be set
    inside iframe due to default security settings (could be overridden in your browser) and the component will fail to find the existing session from the server.
    When enabled, by default SameSiteMode.None will be used for the cookies.

    Note that Chrome 80+ allows SameSiteMode.None only if the cookie is also marked Secure and we will mark it Secure when the request is secure (HTTPS).
    So even with this fix if your cross-domain URL is not HTTPS, Chrome 80+ still does not allow the cookie in cross domain iframe (with default browser settings).
    Fix works on IE and Firefox even if your cross-domain URL is not HTTPS.
    Also, the fix can only work when your application is running on ASP.NET 4.7.2+ runtime (not target framework but deployment machine runtime)
    or ASP.NET Core runtime.


So if you are opening FileManager or DocumentViewer with a cross domain URL in an iframe like this (cross domain meaning the domain in iframe is different than the domain in parent):

<iframe src="crossDomain.com/myFileManagerPage"></iframe>
Then you can turn turn on this fix:

  • For ASP.NET Classic, in Web.config (works only if running on ASP.NET 4.7.2+ runtime because HttpCookie.SameSite property is only available starting with that version):
<configuration>
  <appSettings>
    <add key="GleamTechWeb:CookieSameSiteFixEnabled" value="true"/>
  </appSettings>    
Also ensure you have the below updates on the machine, otherwise ASP.NET does not emit the SameSite cookie header for the None value (SameSite=None):
For .NET Framework 4.7.2, install KB 4524421
For .NET Framework 4.8, install KB 4531182


  • For ASP.NET Core, in appsettings.json:
{
    "GleamTechWeb:CookieSameSiteFixEnabled": true
}    

  • or from code, in global.asax.cs or Startup.cs:
GleamTech.AspNet.GleamTechWebConfiguration.Current.CookieSameSiteFixEnabled = true;

Note that
  • Chrome 80+ requires "SameSite=None; Secure" for the session cookie so even if you turn on the fix, you will need to use a HTTPS URL (SSL) in your iframe, otherwise Chrome 80+ still does not allow session in iframe (note that new Edge is also Chrome based so same will apply):
<iframe src="https://crossDomain.com/myFileManagerPage"></iframe>
  • Other browsers such as IE and Firefox require "SameSite=None" (for now, probably they will follow Chrome in future) so when you turn on the fix, it should work even if you use HTTP URL (no SSL)

Alternative solution for ASP.NET Classic users:

Edit Web.config and add this setting:

  <system.web>
    <sessionState mode="InProc" cookieless="true" />
  </system.web>

So you can turn on “cookieles” mode for the session state module, this means it will store the session ID in URL (automatically in the background) and you will not deal with cookies. Unfortunately, a similar option does not exist in ASP.NET Core.


References:









Reply to Thread