2

I have a asp.net site, which users can login and members can get report or print page by Ctrl+P.

Recently when my members open my site in IE and try to print, they are logged out!

why? because IE print dialog send some request to server without session cookie, so StateServer release new session for this client and then user logged out.

Why print dialog sent request? I don't know, but i guess IE print dialog try to renders page and ready it for print.

Why print dialog don't sent current session cookie? because new update of .net set SameSite=lax for session cookie, so requests from print dialog can't send current session cookie. https://support.microsoft.com/en-us/help/4524419/kb4524419

How can i prevent IE print dialog from send request? or how can i force IE print dialog to send same session cookie?

Any idea?

Edited: I create a sample project to show this problem. you can download my project and host on IIS, then open Default.Aspx and try to print that page in IE(or edge). You'll seen my problem. https://easyupload.io/w6vvpy

TylerH
  • 20,799
  • 66
  • 75
  • 101
Sadegh
  • 639
  • 1
  • 5
  • 14
  • As far as I know, when using Ctrl+P open the IE browser print view, it is the browser behavior, and it will print the current page without sending request. I suggest you could check your code, whether you set the session cookie expired time, and the cookie is expired. Besides, which version of IE browser are you using? can you post related code and steps to reproduce the problem? – Zhi Lv Dec 03 '19 at 08:48
  • please open this page in ie (or edgh), then open browser development tools -> network tab, then press ctrl+P on page, you'll see some request send to the server and print dialog retry to render page. – Sadegh Dec 03 '19 at 11:03
  • I have created a web application with form authentication, it seems that when I press the ctrl+P on the page, it just gets the CSS and JavaScript file from cache (or refresh these files), and the main page will not fresh. screenshot like [this](https://i.stack.imgur.com/nOfRK.png). So, please check which authentication are you using? Whether version of IE browser version are you using? whether you are setting permissions for the css and javascript file, and not cache these files. Besides, please check the F12 developer Network tools make sure it no enable "Always refresh from server" option. – Zhi Lv Dec 06 '19 at 15:42
  • @ZhiLv-MSFT: tank you for your reply. I edit my post and add a sample project. you can see my problem on that. – Sadegh Dec 08 '19 at 10:27

3 Answers3

1

I confirm the issue. For now as a workaround, the problem disappears once SameSite attribute gets removed. This is not optimal solution, but seems to work for now.

var cookies = this.Response.Cookies;
FormsAuthentication.SetAuthCookie( "JohnDoe", rememberMe );
var allCookies = cookies.AllKeys.Select( key => cookies[key] ).ToList();
allCookies.ForEach( cookie => cookie.SameSite = (SameSiteMode)(-1) );

In ASP.NET Core 3.0 and later the SameSite defaults were changed to avoid conflicting with inconsistent client defaults. The following APIs have changed the default from SameSiteMode.Lax to -1 to avoid emitting a SameSite attribute for these cookies

https://learn.microsoft.com/en-us/aspnet/core/security/samesite

The thing that we did was, created HttpModule which looks for cookies in the response and modifies them accordingly.

Mika Karjunen
  • 342
  • 4
  • 9
1

Found the fix:

You have to set the cookieSameSite= "None" in the session state tag to avoid this issue. I've tried this and working well in all browsers.

<sessionState cookieSameSite="None" cookieless="false" timeout="360">
</sessionState>
Santosh Jadi
  • 1,479
  • 6
  • 29
  • 55
Prashant Karle
  • 31
  • 5
0

I have reproduced the problem, it seems that when we print the page, it will call the DownloadHandler to load the image. At this time, since the session is null, so the image will not display.

To solve this issue, I suggest you could try to transfer the login status to DownloadHandler using the QueryString method, instead of using the session state.

Please try to modify your code as below:

Default.aspx

<img src="" runat="server" id="image" />

Default.aspx.cs

    protected void Page_Load(object sender, EventArgs e)
    {
        //check whether user login or not
        if (Session["LoginOK"] != null)
        {
            this.Title = "SessionID: " + Session.SessionID;
            //set the image control resource according the session value.
            image.Src = "./DownloadHandler.ashx?LoginOK=" + Session["LoginOK"].ToString();
        }
        else
        {
            //redirect to the login page 
            //after that, set the session value.
            Session["LoginOK"] = true;
            image.Src = "./DownloadHandler.ashx?LoginOK=true";
        }
    }

DownloadHandler: 

        bool.TryParse(context.Request.QueryString["LoginOK"]?.ToString(), out bool hasAccess);

        if (!hasAccess)
        {
            context.Response.Redirect("./Error.aspx");
            return;
        }

Using the above code, when click the print option, it also sends a request to DownLoadHandler, but we could according the query string to load image. After printing the web page, we could still use the session["LoginOK"] in the main page (Default)(If the session is not expired).

Zhi Lv
  • 18,845
  • 1
  • 19
  • 30
  • thanks for your response, but it is not a good idea, because it has security issue and every body can call my downloadhanlder by this link: ./DownloadHandler.ashx?LoginOK=true – Sadegh Dec 28 '19 at 05:45
  • You could also try to display the images without using the DownloadHandler.ashx. For the security of the image files , if you don't want the Anonymous user access them, you can refer to [this article to set authorization rules for a folder](https://weblogs.asp.net/gurusarkar/setting-authorization-rules-for-a-particular-page-or-folder-in-web-config). – Zhi Lv Dec 30 '19 at 08:42
  • this is just a sample project, in my main project, DownloadHandler load image from DB and i cant change my approche. – Sadegh Dec 31 '19 at 09:27