Session refresh issue with a cross domain iframe

UPDATE:

With FileUltimate v7.8.5 and DocumentUltimate v5.8.5 (January 1, 2021 updates), this issue is fixed out of the box for both ASP.NET Core and ASP.NET Classic (no settings required):

So out of the box, you don't need to change default properties however cookie support is detected on the browser via JS with CookielessSessionMode.Auto, in some cases (e.g. Cordova WebView), the detection may not be reliable, in that case you can use CookielessSessionMode.Always to fix any cookie issues.

For  ASP.NET Core, in appsettings.json:

{
        
"GleamTechWeb:CookielessSessionMode": "Always"
}
Alternatively you can specify the configuration in code, in your Program.cs (or in Configure method of your Startup.cs before net6.0)
app.UseGleamTech(() =>
        
{
    GleamTechWebConfiguration.Current.CookielessSessionMode = CookielessSessionMode.Always;
});


For ASP.NET Classic, in Web.config:

<appSettings>
        
<add key="GleamTechWeb:CookielessSessionMode" value="Always"/>
</appSettings>
Alternatively you can specify the configuration in code, in Application_Start method of your Global.asax.cs:
protected void Application_Start(object sender, EventArgs e)
        
{
    GleamTechWebConfiguration.Current.CookielessSessionMode = CookielessSessionMode.Always;
}


Latest info regarding cookie handling with GleamTechWebConfiguration properties:


CookielessSessionMode
Gets or sets a value that specifies whether cookieless session should be used to automatically fix session issues,
i.e. when the browser does not allow cookies via browser settings or via iframe with a cross-domain URL.
The cookieless session will be established via headers, form or querystring where possible.
The default is Auto.

Cookie support is detected on the browser via JS with Auto.
In some cases (e.g. Cordova WebView), the detection may not be reliable, in that case you can use Always.

You don't need to use CookieSameSiteFixEnabled when this property is Auto or Always.


CookielessSessionParameter
Gets or sets a value that specifies the parameter name to use for cookieless session which will be used in headers, form or querystring where possible.
The default is sid-gt.

It is not recommended to change it unless you have a conflict in your web application (e.g. if you already have a querystring named "sid-gt").


CookieSameSiteFixEnabled
Gets or sets a value that specifies whether SameSite fix should be used for session cookies and other cookies that GleamTech emits.
The default is false.

You don't need to use this property when CookielessSessionMode is Auto or Always.

If you open a GleamTech component in an iframe with a cross-domain URL, recent browsers will not allow the session cookie to be set
inside iframe due to default security settings (could be overridden in your browser) and the component will fail to find the existing session from the server.
When enabled, by default SameSiteMode.None will be used for the cookies.

Note that Chrome 80+ allows SameSiteMode.None only if the cookie is also marked Secure and we will mark it Secure when the request is secure (HTTPS).
So even with this fix if your cross-domain URL is not HTTPS, Chrome 80+ still does not allow the cookie in cross domain iframe (with default browser settings).
Fix works on IE and Firefox even if your cross-domain URL is not HTTPS.
Also, the fix can only work when your application is running on ASP.NET 4.7.2+ runtime (not target framework but deployment machine runtime)
or ASP.NET Core runtime.

----------------------
Old info:
Note that this is not an issue specific to our product. All application that depend on session cookies or other cookies and that use iframes are broken due to Chrome changing cookie policies. However we provide the fix as a comfortable workaround.

We have a fix for this in FileUltimate v7.8.0 and DocumentUltimate v5.8.0 (November 17, 2020 updates):

  • Added: GleamTechWebConfiguration.CookieSameSiteFixEnabled property which can be used to fix session issues when
    you are using a GleamTech component in an iframe with a cross-domain URL (default value is false).

    If you open a GleamTech component in an iframe with a cross-domain URL, recent browsers will not allow the session cookie to be set
    inside iframe due to default security settings (could be overridden in your browser) and the component will fail to find the existing session from the server.
    When enabled, by default SameSiteMode.None will be used for the cookies.

    Note that Chrome 80+ allows SameSiteMode.None only if the cookie is also marked Secure and we will mark it Secure when the request is secure (HTTPS).
    So even with this fix if your cross-domain URL is not HTTPS, Chrome 80+ still does not allow the cookie in cross domain iframe (with default browser settings).
    Fix works on IE and Firefox even if your cross-domain URL is not HTTPS.
    Also, the fix can only work when your application is running on ASP.NET 4.7.2+ runtime (not target framework but deployment machine runtime)
    or ASP.NET Core runtime.


So if you are opening FileManager or DocumentViewer with a cross domain URL in an iframe like this (cross domain meaning the domain in iframe is different than the domain in parent):

<iframe src="crossDomain.com/myFileManagerPage"></iframe>
Then you can turn turn on this fix:

  • For ASP.NET Classic, in Web.config (works only if running on ASP.NET 4.7.2+ runtime because HttpCookie.SameSite property is only available starting with that version):
<configuration> <appSettings>
    <add key="GleamTechWeb:CookieSameSiteFixEnabled" value="true"/> </appSettings> 
 
Also ensure you have the below updates on the machine, otherwise ASP.NET does not emit the SameSite cookie header for the None value (SameSite=None):
For .NET Framework 4.7.2, install KB 4524421
For .NET Framework 4.8, install KB 4531182


  • For ASP.NET Core, in appsettings.json:
{
    "GleamTechWeb:CookieSameSiteFixEnabled": true } 

  • or from code, in global.asax.cs or Startup.cs:
GleamTech.AspNet.GleamTechWebConfiguration.Current.CookieSameSiteFixEnabled = true;

Note that
  • Chrome 80+ requires "SameSite=None; Secure" for the session cookie so even if you turn on the fix, you will need to use a HTTPS URL (SSL) in your iframe, otherwise Chrome 80+ still does not allow session in iframe (note that new Edge is also Chrome based so same will apply):
<iframe src="https://crossDomain.com/myFileManagerPage"></iframe>
  • Other browsers such as IE and Firefox require "SameSite=None" (for now, probably they will follow Chrome in future) so when you turn on the fix, it should work even if you use HTTP URL (no SSL)

Alternative solution for ASP.NET Classic users:

Edit Web.config and add this setting:

  <system.web>
    <sessionState mode="InProc" cookieless="true" />
  </system.web>

So you can turn on “cookieles” mode for the session state module, this means it will store the session ID in URL (automatically in the background) and you will not deal with cookies. Unfortunately, a similar option does not exist in ASP.NET Core.


References: