I have an aspx page with a listbox control. The listbox is populated from a collection that is retrieved from a service when the page loads. When the user selects an item from the listbox the page posts back, adding the retrieved objects to the session before reloading. On the reload I use the session objects instead of having to call the service again.
This all works fine until I access the page from within an iFrame. The Session objects are not retrieved when the page is in an iFrame (Session["blah"] is null). This code works perfectly when the page is not in an iFrame.
I am using IIS7 and windows server 2008. Is there anything I need to do in ISS to allow Session variables to be used in an iFrame? Does anyone know of anything else that may cause this to happen?
Thanks,
Neil
IE gives lower level of trust to 3rd party content loaded in an iframe. This blocks session cookies.
You can solve this by setting a P3P header in IIS:
Name = p3p
Value = CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
See Also
Cookie blocked/not saved in IFRAME
in Internet Explorer
Compact P3P
settings with IIS7
In my case, the project was .net framework 4.6.1. I've upgraded to 4.7.2 version and added the key below to the web.config
<system.web>
<sessionState cookieSameSite="None"/>
This way third party Iframe sessions starts working.
Before you do this change, it's better to read this
https://learn.microsoft.com/en-us/aspnet/samesite/system-web-samesite
Actually never mind, I just cleared out the files in C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files and restarted IIS and it was all working
As of 2021, Chrome (and maybe others) requires that the cookie is secured.
This can be achieved this way :
<system.web>
<httpCookies httpOnlyCookies="true" requireSSL="true" sameSite="None" />
</system.web>
To enable sessions in iFrames:
InterNet Options -> Privacy -> Advanced -> Check "Always Allows Session Cookies"
Related
My organization has an ASP.NET application which is a wrapper for our SSRS reports. This app essentially just gives users a series of dropdown menus to navigate to their reports rather than making users navigate to reports via the default SSRS report manager pages.
In this application we have had users experiencing errors, specifically an error: "ASP.NET session has expired or could not be found". This was happening to users after attempting to change a report parameter and re-running the report, after only a few minutes of viewing reports.
I have attempted to use KeepSessionAlive="true"` within my ReportViewer control in combination with extending the Session Timeout value in our web.config. Neither of those things did the trick to resolve this error.
As per the msdn article on Session-State modes available at: https://msdn.microsoft.com/en-us/library/ms178586.aspx
We ended up switching this from the default InProc mode to StateServer mode and haven't been able to reproduce the error since. Using StateServer mode had an extra hoop to jump through though, in that we had to enable the ASP.NET State Service on our server, set it to Automatic Startup type and then update our web.config sessionState value from:
<sessionState timeout="120"/>
to:
<sessionState mode="StateServer" stateConnectionString="tcpip=localhost:42424" timeout="120"/>
Cookies in ASP.NET are causing me some problems.
For the most part, I want to use cookieless sessions. This is mainly to get around a problem where safari won't let me set the cookies from an iFrame. So that part all works fine. Cookieless sessions do the job.
However, I have a page which is called from a POST. It uses a post to pass in a hidden field from a form which then does some stuff....you don't really need to know what.
So it turns out that when cookieless sessions are on, the POST is disabled and only GETS can happen in ASP.NET web forms. This is breaking my functionality.
What I want to do is add a web.config to the folder that contains my POSTing pages to go back to normal cookie sessions so I can get my POSTs working again, but this doesn't work.
<?xml version="1.0"?>
<configuration>
<system.web>
<sessionState cookieless="false" />
</system.web>
</configuration>
Does anyone know a way of making a folder work with normal cookie sessions while the rest of the site works with cookieless sessions?
I've found a solution to this:
What I do is create an HTTP Handler (a .ashx file). This takes specific post values form Request.Form and tags them on as Querystring parameters. This then does a redirect to my original page which now looks for Querystring params instead of Form ones. Phew!
The HTTP handler is what my app posts to now - it was a Facebook Signed request.
So the good news is, that I can use HTTP Handlers now - you learn something every day.
I am losing the ASP.NET_SessionId when switching between pages on my site. The issue happens in Chrome/Firefox/Safari. It does not happen in IE. It is rather strange...here is my scenario.
My site can be accessed by entering www.example.org or example.org in browser (this is an important piece of info as you will see).
I enter example.org. From my home page, I log into to my site (note: I am not using ASP.NET forms authentication). I am sent to my default user page (e.g., userpage.aspx). From this page, I click on an <a> that sends me to a different page on my site. The <a> link is full-qualified (e.g., http://www.example.org/page2.aspx). When I get sent to the new page, my session is lost!
So, I ran Fiddler to try and discover the problem. What I found was interesting. The Request Header tag Referer was getting lost between pages.
Here are the steps:
Go to example.org.
Login to example.org.
I get redirected to userpage.aspx. The Referer is http://example.org. The ASP.NET_SessionId is set.
I click on the <a> (e.g., http://www.example.org/page2.aspx). After the page is rendered, the ASP.NET_SessionId is lost.
The lost ASP.NET_SessionId is lost consistently is Chrome/Firefox/Safari. This does not happen in IE.
If repeat the above steps by substituting example.org with www.example.org, the ASP.NET_SessionId is not lost. It works, correctly each time.
Any thoughts on this behavior?
Add this to your web.config under the <system.web> element
<httpCookies domain=".mysite.com" />
See if there is any change in behavior. It sounds as though sub-domains are failing although I thought the cookie was based at the root domain to begin with. this should force it that way.
In my case the following was the issue:
In my local Visual Studio environment, my development "web.config" file accidentially contained the following:
<configuration>
<system.web>
<httpCookies requireSSL="true" />
</system.web>
</configuration>
Since the development IIS Express runs at http://localhost:7561, which is not HTTPS, this check triggered to not set/accept any cookies, including the session ID cookie.
Solution was to simply comment out the <httpCookies requireSSL="true" /> line.
Another, similar issue I could imagine is that the Content-Security-Policy HTML meta tag, that also controls how cookies are handled, could also be configured to not allow the session ID cookie to be set.
Why does a request for a .gif image cause the session_start event to fire in my asp.net application?
In my local IIS I tried setting up a module mapping for *.gif pointing to StaticFileModule thinking that would prevent IIS from routing the request through asp.net, but for some reason my session start event is still firing when just requesting this single image.
Can anyone advise what needs to be set in IIS to prevent this from happening?
Thanks
I think you may also have to disable Session State for those folders:
https://serverfault.com/questions/77852/is-it-possible-to-set-a-folder-as-cookieless-in-iis7
Do you have a modules section within your web.config which has runAllManagedModulesForAllRequests set to true? This causes all requests (including .gif, .jpg, etc) to go through asp.net, not just managed ones.
Anything like this:
<modules runAllManagedModulesForAllRequests="true">
...
</modules>
Or alternatively, have you defined any custom <httpHandlers> within your web.config?
It sounds like your CRM might be causing the asp.net runtime to handle the request (is it a seperate .NET app? and if so, what about it's web.config?)
I am having trouble with I guess Forms Authentication..
Site runs perfect can login and log out.. but after a while (this is not a specific time frame) suddenly URLs start to look like this:
http://www.mydomain.com/(A(EvoNg_065oCKJ1l_AcU4ND7Uzkm05wugwbYu4jiKb-_24aJmbmE_r5djE-mw9b_3tvEBOLIH1f64rrtq6RZOSFto_o0MaN-3edRpjH2Bfn8uBnrUFhv2xmk4_9oLXHVEt-Dg5BfdPA3VprkCIixmbhr2KPs1))/Default.aspx
What does this encoding (A) mean... is it the authorization ticket or Anonymous user ticket or what is it.
The funny thing is that it stays there and also include the encoding in all links on the page. Until at recycle the application pool for the site... when it is gone..... and it just starts over again after a while....
Anyone to point me in the right direction. Site is ASP.NET 4, using form auth and deployed on a IIS7
Please help...
Best regards
Henrik
This could be related to a cookieless session which you might have configured. Look for the following in your web.config:
<sessionState cookieless="true" />
Also checkout if cookieless Forms Authentication is not enabled.