Info: Session refresh issue with a cross domain iframe
Announcement by Cem Alacayir - 11/18/2020 at 2:00 AM
Employee Post

With FileUltimate v7.8.5 and DocumentUltimate v5.8.5 (January 1, 2021 updates), this issue is fixed out of the box for both ASP.NET Core and ASP.NET Classic (no settings required):

GleamTechWebConfiguration.CookielessSessionMode property:
Gets or sets a value that specifies whether cookieless session should be used to automatically fix session issues, i.e. when the browser does not allow cookies via browser settings or via iframe with a cross-domain URL. The cookieless session will be established via headers, form or querystring where possible.
The default is CookielessSessionMode.Auto.

Cookie support is detected on the browser via JS with CookielessSessionMode.Auto.
In some cases (e.g. Cordova WebView), the detection may not be reliable, in that case you can use AspNet.CookielessSessionMode.Always.

You don't need to use GleamTechWebConfiguration.CookieSameSiteFixEnabled when this property is true.

If you still have a problem on a specific browser, then you can force to always use cookieless session mode:

- For ASP.NET Classic, in Web.config add this setting:
    <add key="GleamTechWeb:CookielessSessionMode" value="Always"/>

- For ASP.NET Core, in appsettings.json add this setting:
    "GleamTechWeb:CookielessSessionMode": "Always"

- or add this setting from code, in global.asax.cs or Startup.cs:
GleamTechWebConfiguration.Current.CookielessSessionMode = CookielessSessionMode.Always;

Note that this is not an issue specific to our product. All application that depend on session cookies or other cookies and that use iframes are broken due to Chrome changing cookie policies. However we provide the fix as a comfortable workaround.

We have a fix for this in FileUltimate v7.8.0 and DocumentUltimate v5.8.0 (November 17, 2020 updates):

  • Added: GleamTechWebConfiguration.CookieSameSiteFixEnabled property which can be used to fix session issues when
    you are using a GleamTech component in an iframe with a cross-domain URL (default value is false).

    If you open a GleamTech component in an iframe with a cross-domain URL, recent browsers will not allow the session cookie to be set
    inside iframe due to default security settings (could be overridden in your browser) and the component will fail to find the existing session from the server.
    When enabled, by default SameSiteMode.None will be used for the cookies.

    Note that Chrome 80+ allows SameSiteMode.None only if the cookie is also marked Secure and we will mark it Secure when the request is secure (HTTPS).
    So even with this fix if your cross-domain URL is not HTTPS, Chrome 80+ still does not allow the cookie in cross domain iframe (with default browser settings).
    Fix works on IE and Firefox even if your cross-domain URL is not HTTPS.
    Also, the fix can only work when your application is running on ASP.NET 4.7.2+ runtime (not target framework but deployment machine runtime)
    or ASP.NET Core runtime.

So if you are opening FileManager or DocumentViewer with a cross domain URL in an iframe like this (cross domain meaning the domain in iframe is different than the domain in parent):

<iframe src="crossDomain.com/myFileManagerPage"></iframe>
Then you can turn turn on this fix:

  • For ASP.NET Classic, in Web.config (works only if running on ASP.NET 4.7.2+ runtime because HttpCookie.SameSite property is only available starting with that version):
    <add key="GleamTechWeb:CookieSameSiteFixEnabled" value="true"/>
Also ensure you have the below updates on the machine, otherwise ASP.NET does not emit the SameSite cookie header for the None value (SameSite=None):
For .NET Framework 4.7.2, install KB 4524421
For .NET Framework 4.8, install KB 4531182

  • For ASP.NET Core, in appsettings.json:
    "GleamTechWeb:CookieSameSiteFixEnabled": true

  • or from code, in global.asax.cs or Startup.cs:
GleamTech.AspNet.GleamTechWebConfiguration.Current.CookieSameSiteFixEnabled = true;

Note that
  • Chrome 80+ requires "SameSite=None; Secure" for the session cookie so even if you turn on the fix, you will need to use a HTTPS URL (SSL) in your iframe, otherwise Chrome 80+ still does not allow session in iframe (note that new Edge is also Chrome based so same will apply):
<iframe src="https://crossDomain.com/myFileManagerPage"></iframe>
  • Other browsers such as IE and Firefox require "SameSite=None" (for now, probably they will follow Chrome in future) so when you turn on the fix, it should work even if you use HTTP URL (no SSL)

Alternative solution for ASP.NET Classic users:

Edit Web.config and add this setting:

    <sessionState mode="InProc" cookieless="true" />

So you can turn on “cookieles” mode for the session state module, this means it will store the session ID in URL (automatically in the background) and you will not deal with cookies. Unfortunately, a similar option does not exist in ASP.NET Core.


Reply to Thread