Last post Jan 07, 2020 11:12 AM by palanikumar32
Nov 27, 2019 06:16 AM|albertpraveen|LINK
One of our client wants to use our web forms application in their website inside the iframe to Login and order the goods.
So I have added P3P headers to support third party content. CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
It was working until yesterday and stopped working after recent .net framework update. User logs in and the session is lost when redirected to another page. Below are the details of the update
2019-11 Preview of Quality Rollup for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows 8.1 and Server 2012 R2 for x64 (KB4524743)
Any help is much appreciated.
Nov 27, 2019 11:45 PM|olitee|LINK
We've seen this same problem affect one of our clients. Very similar to your description: ASP.NET WebForms, VB.NET and using iFrames to handle a SagePay payment with 3D secure.
We found that since installing this Windows Update, we've had SOME callbacks from SagePay (within the iFrame) creating new sessions, despite the cookie being provided with the correct session ID.
We've had to issue a hurried fix that inspects the session, and reacts accordingly if a new session has been created. But it's caused us and our client significant issues.
We're still investigating, but whether users are affected is definitely dependent on their browser version.
Dec 18, 2019 11:43 AM|reknaw|LINK
Did you get any further with this?
Experiencing the same problem with SagePay 3Dsecure redirects since a recent Windows update.
Dec 18, 2019 01:09 PM|albertpraveen|LINK
Found the fix. As mentioned in the below page.
Microsoft ASP.NET will now emit a SameSite cookie header when HttpCookie.SameSite value is "None" to accommodate upcoming changes to SameSite cookie handling in Chrome. As part of this change, FormsAuth and SessionState
cookies will also be issued with SameSite = 'Lax' instead of the previous default of 'None', though these values can be overridden in web.config.
You have to set the cookieSameSite= "None" in the session state tag to avoid this issue. I have tried this and working well.
<sessionState cookieSameSite="None" cookieless="false" timeout="360">
Dec 19, 2019 03:43 PM|reknaw|LINK
I confirm it works.
This has caused unbelievable grief, thanks a million for finding that.
Dec 26, 2019 09:13 PM|Blake Facey|LINK
Confirming this worked as well.
Jan 02, 2020 12:00 PM|UsmanK|LINK
This solution works for me but session log out is not working on any other browser than IE. Could you please help. Thanks.
Jan 07, 2020 11:12 AM|palanikumar32|LINK
I had this issue while accessing site from cordova application. This solutions works. Thanks!