1

Simply:

  1. In website A user logs in and creates some session objects.

  2. Website A redirects user to a page in website B using Response.Redirect.

  3. Website B POSTs a form collection to a page on website A using a submit button.

  4. On this specific point all sessions of this specific user are lost and Session_Start fires again.

This is the same for both localhost and production domains.

This is OK when both pages are on the same domain, problem occurs with two separate domains.

On step 3 when using a link instead of the button to return to website A (apparently wieemsh fully qualified domain name), everything is ok and sessions exist.

Seems it's a cross platform submit/POST problem.

Sessions are InProc with cookies, changing this setting is not an option.

I appreciate your kind attention.

P.S. googling this, I found out that there is somehow similar 'losing session' problem when redirecting from one page to another. this is not caused by response.Redirect.

Edit

There is a probability that this problem is caused by SameSite Cookie Policy. I ran several tests on several conditions and I cannot still confirm this.

Reza Mortazavi
  • 329
  • 3
  • 14
  • Are you setting the SameSite attribute for your cookies? https://devblogs.microsoft.com/aspnet/upcoming-samesite-cookie-changes-in-asp-net-and-asp-net-core/ – JohnPete22 Jan 09 '20 at 20:17
  • @JohnPete22 This is version 4.7.1 and the article says SameSite cookies are applicable in 4.7.2 and later. Both suggested web config attributes and code properties cannot be recognized in my environment. BTW, how can it effects session cookies in this scenario? – Reza Mortazavi Jan 10 '20 at 02:18
  • @JohnPete22 I upgraded to 4.7.2 and set `Response.Cookies["ASP.NET_SessionId"].SameSite = SameSiteMode.None;` is Session_Start according to [this post](https://stackoverflow.com/a/57840284/1527075) and the problem vanished means you are right about SameSite Cookie thing. It seems `SameSiteMode.None` is not a good option and may cause risks. Is there anything like exclusion list to exempt desired websites? – Reza Mortazavi Jan 10 '20 at 03:20
  • Did you ever find a solution/explanation for this? We are facing the same issue. – Senne Feb 21 '20 at 13:21
  • @senne yes I did, I'll post my solution ASAP – Reza Mortazavi Feb 22 '20 at 20:29

1 Answers1

0

First This was a 4.7.1 ASP.NET webform project, so if you are on MVC you can only get some clue.

As @JohnPete22 mentioned This Article says SameSite Cookie Policy (as a new security measure) is for 4.7.2 and above in which you have some control, at least, to turn it ON or OFF, but what it doesn't say is that it also affects 4.7.1 projects as well with no controls over the feature, to be precise, it is always ON but control commands are not recognized by .NET framework version (I'm not aware of any .NET update to solve this). This is why posting back to a page on a separate domain looses form collection data: to maintain cross domain security.

Note: this is not a solution, rather it's a workaround:

  1. Update your project to 4.7.2 to enable SameSite modes, this is not a big deal.

  2. Add this code to Global.asax Session_Start event

    if (Response.Cookies["ASP.NET_SessionId"] != null)
{
    Response.Cookies["ASP.NET_SessionId"].SameSite = SameSiteMode.None;

    // Optional - This makes the feature secure
    // if (Request.IsSecureConnection)
    //      Response.Cookies["ASP.NET_SessionId"].Secure = true;
}

    I tested other options SameSiteMode.Strict and SameSiteMode.Lax but did not work so I simply turned the feature off.

  3. Add this to Web.Config System.Web section:

    <sessionState mode="InProc" cookieless="UseCookies" />

  4. To enforce better security, you may consider checking source website with Request.UrlReferrer?.ToString() and change SameSite mode accordingly.

And that's all, folks!.

Reza Mortazavi
  • 329
  • 3
  • 14