Problem:
Asp.net WebForm application is loosing its session data (loosing ASP.NET_SessionId cookie) between any Requests, when having web app framed(via Iframe) inside another app hosted in another domain.
Our Setup:
We have 2 applications - each hosted in its own domain(not sub domains); 1st being an asp.net webform (.Net 4.6.1) apps lets say A, Another application(Not on .Net), lets say B.
A (webform) is being framed/opened inside iframe from B(Not .Net).
Problem in Detail
When first time A opens in Bootstrap popup(using iframe) inside B, it shows an aspx page. From there if user does any operation with in iframe, which if makes another request to A itself with in iframe (postback or redirect), then previous session (internally ASP.NET_SessionId session cookie) is getting lost and new session/cookie is getting re-created.
This breaks application logic/behaviors as we need active session for all requests of A.
Solutions Tried
We are going to follow one of below (either via code or configuration options available in 4.7.2), and have tried one on POC level and seems fixing original losing session issue.
ASP.NET webform loses session when getting posted data from another domain
ASP.NET_SessionId cookie value is alway Lax in the SameSite
Queries I have
Will using option of setting samesite as none, and cookie to be secured (if app A is accessed via https always) cause any additional security risk? - If both A and B are owned by us and in our domains. If yes, what is risk involved? can it be recommended to used in production box for setup we have?
I understand even with above option, we will still loose session data when our app B is opened in chrome's incognito window and B then tries to open A in iframe? Is it correct? If yes, what are solutions/alternatives or even workarounds(only as last resort)? I found one, but that recommends to use cookieless session, which we cant as our authentication is based on cookies.
Let me know please if need any additional details. Thank you.
