I have a site which uses are a payment service that exists inside an iframe to take the customers credit card information.
In Chrome/Edge everything is working as expected, but in Safari, when the user is redirected back to the site via the iframe (the user is broken out of the iframe when returned to the site) the user is logged out and returned to the login screen.
This is seems to be something that has happened in the last few months but this may have just not be noticed. I am trying to wrap my head around the SameSite cookie information out there as this may be related.
Has anyone experienced anything like this and have any clue as to how to resolve?
It sounds very much like a SameSite problem.
A quick way to test that theory would be to set SameSite=None and test if it now works, then work back from there.
The fact that it works on Chrome but not Safari could suggest some quirk of Safari's implementation of SameSite.
I've found the following useful in learning about this:
https://web.dev/samesite-cookie-recipes/
https://www.netsparker.com/blog/web-security/same-site-cookie-attribute-prevent-cross-site-request-forgery/
https://andrewwburns.com/2020/08/05/dont-be-lax-about-your-samesite-cookies/
I experience problems with Safari when running Adal JS 1.0.13 together with a local ADFS 4.0.
Safari: after a successful redirect back from the ADFS login screen the browser goes into an infinite loop. The sessionStorage is updated approximately 3 times/second with new values each time. If I reload the page later the same loop starts. To reach the login screen I must select “Remove all Website data”. Cookie settings: always accept.
Firefox / Chrome: login works fine and the application runs perfectly. Three cookies are available MSISAuth, MSISAuthenticated & MSISLoopDetectionCookie.
“Keep me signed in” is not selected by the user and the parameter “cacheLocation” is not specified (i.e. use sessionStorage).
Any ideas what causes Safari to behave in this way?
There are various reasons this could be happening and you will need to specifically follow up with adal.js team. See this FAQ from adal.js team.
I recommend collecting adal logs and attaching it to the github issue.
Irrespective of the root cause, the adal.js team recommends two solutions
Specify a different html for the iframe - Gist
Conditional initialization in your main app.js file - Gist
From my experience, the second approach doesn't work for anything but very basic apps. You will need to implement the first solution which takes an iFrame based approach.
Sorry to repeat a question that I have seen posted many times before. But they don't seem to answer my circumstances. Or the articles are for previous versions of IIS and IE
I have trying to create a landing page where a user is redirected to an Intranet. I would like users who are part of the domain to be passed straight through to our Intranet with their Windows username (Single sign on). However I would also like the users who do not have a user name to be passed to a login page.
The problems seems to be when Enabling Anonyomous Access on IIS. You can allow access through to the IIS but can not detect the username and vice versa.
I have setup a solution which does something similar to this. However when a user who is not part of the domain accesses the site then they have to click cancel to the dialogue box (Windows login). They are then redirected to the 402 page which is a login page
Does anyone know how to stop this dialogue box being displayed? If I can get rid of the dialogue box then this would solve my problem.
I have looked a loads of solutions which none of them have the desired effect:
http://mvolo.com/blogs/serverside/archive/2008/02/11/IIS-7.0-Two_2D00_Level-Authentication-with-Forms-Authentication-and-Windows-Authentication.aspx
https://community.altiusconsulting.com/blogs/konstantinshapkin/archive/2009/09/22/asp-net-mixed-authentication.aspx
(These two are the most suited match for my problem - but don't see to provide the single page and filter the user to the correct place)
Any help would be greatly Appreciated. Let me know as well if I am asking for the impossible (I have been looking for an answer for days now...) I seem to be hacking the iis server to do something it doesn't want to do...
I have also tried windows and forms authentication bother together which doesn't seem to work on both IIS 6.0 and 7.0.
I don't believe there is a solution to your problem however I know for certain the you cannot (and should not) override the default browser behaviour you mention here:
Does anyone know how to stop this dialogue box being displayed? If I can get rid of the dialogue box then this would solve my problem.
I have a web application that runs perfectly fine when I use the Visual Studio 2010 development server (Cassini). However when I try to use IIS Express to host the site Chrome just displays a "Bad Request - Request Too Long" error. The IIS Express site does display in other browsers (FireFox and IE9) so I'm kind of confused. The error occurs in Chrome when I try request pages in my application or even basic resources like an image, so I don't think it is an issue with URL rewriting or routing.
Just to see if the problem was somehow a result of my site's code, I created a new MVC3 website and tried running that. This worked in the VS development server, but once again produced the "Bad Request" error when running under IIS Express.
I am about to start testing the site using some mobile devices so I need to get this running under IIS. Any suggestions would be greatly appreciated.
EDIT:
The root url of the site (http://localhost:50650/) is being requested using GET. I am currently using Chrome v12.0.742.112.
I get this all the time ONLY in Chrome and I have to clear browsing data to fix it.
Wrench > Tools > Clear Browsing Data
Check the following:
Clear browsing history
Clear download history
Empty the cache
Delete cookies and other site data
Then click "Clear Browsing Data" button and refresh your page.
UPDATE:
I figured out that it has to do with writing too many cookies to the browser and that if you just close all instances of Chrome, the error goes away for a while. To prevent it, you'll need to clear out your cookies programmatically.
Instead of clearing all the cookies, just do the following:
Right click the lock in the address bar area (see picture below)
Under cookies there is a link saying how many cookies are used
Click that link
Remove all cookies in there (or just the troublesome if you can identify them)
Problem gone
This error is caused by a corrupt cookie for the website you are trying to view, so to clear it all you need to do is clear the bad cookie(s) for that website.
In Chrome, go to...
chrome://settings/cookies
(Or manually go to Settings->Advanced Settings->Privacy->Content->All Cookies and Site data)
From there, you can search for cookies that match the site you are having problems on. Finally, click "remove all" for the matching cookies.
The problem is usually that the site in question has accumulated too many cookies or created cookies which are too large, making the HTTP headers swell beyond the allowed maximum.
One-time work-around
As has been mentioned, you can go to Settings|Advanced|Content Settings|All Cookies and Site Data, search for the site in question, and delete the cookies using the X button on the right. This reduces the header size of the HTTP request when contacting the site.
Long-term work-around
In addition to removing them one-time, however, you can prevent further problems with heavy cookie sites by going to Settings|Advanced|Content Settings|Manage Exceptions, and add the base site url (e.g. "msdn.microsoft.*" without the quotes) and select Behavior as "Clear on Exit". You might have to login more often to these sites, but this should prevent the problem.
I encountered this problem when using ADB2C login from ASP.NET WebApp. In Firefox you can do similar use case to delete related coockies and problem is gone for a while. Click on HTTPS (i) lock icon with, select ">" button on the right, select More information, select Security tab, click on View Cookies and click on Remove All. Done 4 a while.
If Above methods didn't work then enter
chrome://settings/resetProfileSettings
and Click on Reset Settings
This will reset your startup page, new tab page, search engine, and pinned tabs. It will also disable all extensions and clear temporary data like cookies. Your bookmarks, history and saved passwords will not be cleared.
I'm creating an ASP.NET application which uses Facebook Connect and fbml tags. It also uses the LinkedIn widget. When I run this app in any browser, there are no warnings and everything works. However, in IE, a message like this comes up:
Security Warning:
The current webpage is trying to open a site in your Trusted sites list. Do you want to allow this?
Current site:http://www.facebook.com
Trusted site:http://localhost
(same for LinkedIn.com). I know how to fix this from a client perspective and to stop the security warning showing up. However, is it possible to ensure this message doesn't come up as it could be off putting for users who don't know how to suppress this warning? I haven't tried uploading it to my webhost, so not sure if this message will appear for everyone in production. However, I always get it on my local machine.
(None of my pages use SSL, so I don't think that's the issue. I tried using FB's HTTPS urls but that didn't make a difference).
Thanks
I have come across the IE message many times. Whilst this might not be the case here I always check in Firebug to see if any requests are going to Https (using Net tab). If may be the case that something you are referencing is itself making a call to something else.
Often you get that message if you are serving an https page and then going to fetch an image over http.
Might not help but is the first thing I do in this situation.