Occasionally on submitting a payment form in an iframe, the postback from the payment gateway results in the user being logged out as the request is missing the ASP.NET_SessionId cookie (we are using state-server). It's not the app pool recycling causing the issue as I have checked those logs. It also only happens in the production environment. I can see the session cookie exists just before the form is submitted so I can't figure out where it is losing it.
Asked
Active
Viewed 3,693 times
1 Answers
3
You need to check if you are not affected by the KB4524420 which has recently been rolled out:
ASP.NET will now emit a SameSite cookie header when HttpCookie.SameSite value is "None" to accommodate upcoming changes to SameSite cookie handling in Chrome. As part of this change, FormsAuth and SessionState cookies will also be issued with SameSite = 'Lax' instead of the previous default of 'None', though these values can be overridden in web.config.
You have to set the cookieSameSite= "None" in the session state tag to avoid this issue.
<sessionState cookieSameSite="None" cookieless="false" timeout="360">
</sessionState>
However this will break Safari in certain cases (iOS prior to v13 and Safari in MacOS) so you might want to consider adding two cookies, one with SameSite=None and one without specifying any value for SameSite). This is due to a bug in Safari which makes SameSite=None to become SameSite=Strict.
Stefan Iancu
- 241
- 3
- 4
-
no luck with this approach unfortunately. The cookies are still missing on the postback request. – user3455734 Feb 12 '20 at 15:59
-
helped me resolve a similar issue in SharePoint Online App Webpart losing session cookies inside iframe. Thanks – Abdul Hameed Feb 13 '20 at 08:39