ASP.NET_SessionId cookieSameSite issue - asp.net

I am having issues with a third party site we are using to process credit card payments posting those payments back to our site (ASP.NET MVC) and the ASP.NET_SessionId getting lost. This is happening in Chrome exclusively. I believe it's due to their recent SameSite which you can read about here. I can see when inspecting the cookie in chrome that the Send for attribute on the cookie is set to 'Secure same-site connections only' but locally it says only 'Secure connections only'.
I have made the necessary changes to my website locally and have this working but once pushing those changes to our live webserver (Windows Server 2012) I am still having issues with Chrome.
Here is my relevant web.config settings:
<compilation debug="true" targetFramework="4.7.2"/>
<httpRuntime targetFramework="4.5.1" maxRequestLength="4096"/>
<sessionState mode="InProc" cookieless="false" timeout="60" cookieSameSite="None"/>
<httpCookies requireSSL="true"/>
<authentication mode="Forms">
<forms name="RAMAUTH" timeout="60" slidingExpiration="true" cookieSameSite="None"
requireSSL="true"/>
</authentication>
The webserver has .NET 4.7.2 installed.
I think that's everything I need to do in order to get this working and like I said it works locally but not on the live webserver. Another thing I noticed is when using the configuration editor in IIs (8.5) on the webserver it errors telling me it does not recognize the 'cookiesSameSite' attribute.
Am I missing something? Is there a logical reason as to why this would work ok locally but not on a live webserver running IIS?

Related

Forms authentication timeout different for IE vs. Chrome/Firefox

We have an Asp.net MVC 4 website that has been in production for several months with no problem. Until this morning, that is. All of a sudden people could only log in via IE. Chrome and Firefox both failed. After a bit of panicked debugging we found we could only log in if we set the forms timeout from
<forms loginUrl="~/Login" timeout="30" />
to
<forms loginUrl="~/Login" timeout="120" />
Can anyone tell me why this is? Nothing has changed in server configuration, and that field hasn't been changed in web.config from the initial deployment.

Timed out on web page

So we have been stuck on a connection timeout issue and we are lost.
All pages on this asp.net web application times out after exactly 2 minutes.
Saying:
connection timed out
description: connection timed out
All articles on the internet suggest it is the asp.net web config setting "executionTimeout". (Here is ours)
<httpRuntime executionTimeout="3600" requestValidationMode="2.0" maxRequestLength="15360" />
But obviously ours is set to way above 2 mins. A colleague of mine also fiddle with the iis settings without success.
Any suggestions?
EDIT: This does not happen on debug at all, which makes me lean towards it being an IIS issue.
EDIT: We don't believe it to be an asp.net session issue since we are still logged in and can browse to other secure pages after this happens
Resolved: So after some more investigation we discovered that the timeout issue was just from when accessing the website from within our intranet. Apparently we have some daemon software (Websense) running on the network that was the root of all this evil.
The above you mentioned should work, Look for the following in your web.config file (maybe its a issue of session timeout):
<system.web>
<authentication mode="Forms">
<forms timeout="20"/>
</authentication>
<sessionState timeout="20" />
</system.web>
Increase the timeout time you are using.
Hope this helps.

session in IIS always empty (between pages)

I have floder in wwwroot that contain all the pages for a website.
the problem is that session and cookies are not save between the pages, although that the session is recognized, but always empty!
What do I have to do in order to enable session and cookies between the pages?
I tried adding this line to web.config
<authentication mode="Forms">
<forms cookieless="AutoDetect" domain="" timeout="10" protection="All" />
</authentication>
And I turn the folder to an Application throw the IIS manager tools.
but nothing :(
the IIS version is 7
Thanks for any help
Have you checked that session state is enabled in IIS7?
http://technet.microsoft.com/en-us/library/cc725624%28WS.10%29.aspx
You also need to ensure that you have the session state config setting setup in your web.config in your application.
Here's an example of mine
<sessionState mode="InProc" stateConnectionString="tcpip=127.0.0.1:42424" sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes" cookieless="false" timeout="20" />
You should check out
http://msdn.microsoft.com/en-us/library/ms178586.aspx
Edit: updated the above link, the previous one was defunct.

Login control doesnt work in Internet Explorer

I use asp.net cookie in my application here is my web config :
<authentication mode="Forms">
<forms path="/"
defaultUrl="Default.aspx"
loginUrl="Login.aspx"
name=".ASPXAUTH"
slidingExpiration="true"
timeout="3000"
domain="www.mysite.com"
cookieless="UseDeviceProfile"/>
</authentication>
it works fine but I have a problem, after some days when a user has been working with the site application, suddenly my login control didn't work. I found out it will work after deleting temporary files.
Edit : Please pay attention to domain when User request www.mysite.com every thing is okay but without "www" login doesn't work. in firefox they are working very good. this is IE problem.
How I can solve this ?
It's about your Host and server (IIS Service provider), it seems like they change some default script files in your "aspnet_client\system_web\2_0_50727" folder like "WebUIValidation.js" or "SmartNav.js". Those are ASP.net default scripts. If you change your Host provider, you will see its working good and (Cross Browser).

MVC app suddenly requiring authorization for everything after Windows/IIS reinstall

I recently reinstalled Windows (on an SSD!) and I'm in the process of setting up IIS and all my web projects.
One of my MVC project keeps asking for authentication on everything, including on resources like .css files and images. I'm using the default MVC template login with a custom provider that I'm using for dev purposes.
I've tried rolling back my web.config to before I moved the project file and re-set IIS, but that didn't make much of a difference -- aside from changing authentication mode from Windows to Forms.
Can you see anything wrong with my config?
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
<membership defaultProvider="SuperSimpleMembershipProvider">
<providers>
<clear />
<add name="SuperSimpleMembershipProvider" type="Website.Helpers.SuperSimpleMembershipProvider" />
</providers>
</membership>
I don't have any <authorization> element or anything else related to login, since I'm doing everything via MVC.
Update: Tried <authorization><allow users="*"/></authorization>, still not working.
Have you checked the configuration settings in IIS for that particular website? There are authentication options there which will help.
Turns out I had too allow IUSR read access to the site folder, since that's the user that Anonymous Authentication allows.

Resources