ASP.NET: Popup browser windows and session cookies - asp.net

SUMMARY: When browsing an ASP.NET website using Windows Explorer, popup windows do not "borrow" the session cookie from the parent window.
DETAILS:
I'm working on an ASP.NET website (.NET 2.0). I use FormsAuthentication. It is a requirement to use cookies to handle the session.
On a page I have a button. When the user clicks it, a popup window is opened. The popup displays an ASPX page that uses session variables, previously set from the parent browser window. I've been testing the website using IE (6, 7, 8) and Firefox 2.0. On all these browsers, the popup window has access to the same session as the parent browser window and everything works ok.
I now have a bug raised by the client, stating that the popup window displays an error. Looking at the log file, I can see that it is a NullReferenceException at the moment the popup page tries to access the session variables. Talking with the client, he said that he opened the main website in Windows Explorer !!!
I've managed to recreate the issue on a test machine and saw that the popup is using a new session.
The machine must have Win XP an IE6 installed ! With IE7 the website works ok.

My suspicion here is that when opened from Windows Explorer (not that I fully understand what you mean by this), the session cookie that is being sent back is not stored anywhere and thus not available for the pop up window to include with its request. I don't see how you can get around this. Is it not possible to tell the client that this means of accessing the application is not supported?

I have seen the same issue with IE 8 , the issues does not occur in Firefox, Google Chrome or IE 6 . In my case I can see that the Session is actually working bu the Authentication terminates redirecting the user to the login page again for him to login...

Related

Window.open is losing session

My team have a big problem with a developed website. We have a page where We need to open three or four tabs, We used window.open and everything worked fine in testing area. But, in production with a load balancer (sticky session configured) when window.open is executed, It creates a new session, We saw in the logs that the request is redirected to other server when window.open is executed.
I've seen other links in stackoverflow like IE8 losing session cookies in popup windows
But the problem is that It happens also in Firefox, any clue about this kind of problem?
BTW, Our app is a ASP .Net MVC 4.5 website.
Second part of your question is pointing to a problem on the client side.
But if I read your problem it looks like a problem on the server side.
I think that your session pool over the load balancer has a problem.
Maybe try a simple page that shows your sessionId on a page and run that in your server farm for testing. make shure that the problem is not in your app but at server level.
edit after questionar reply:
Is your cookie set domain wide?
what happens if you open more tabs manually?
Is it a browser domain cookie handler problem (then the manual tabs will not work)
Or is it a javascript handler problem. (then the manual tabs will work)

Safari, ASP.NET 4, and LinkButton

I have an ASP.NET Web Application using .NET Framework 4 and it is working fine on all browser when I test it locally using my Visual Studio Pro 2010, but when we deploy it to our server (IIS7 on Windows Server 2008 R2), the LinkButtons of my Web Application is not working correctly on Safari Browser on all platforms.
What was happening was when the LinkButton has a function that uses Response.Redirect, it somewhat clears the session or doesn't save it. I can check this since when I redirect to another page, I save the values inputted to a session first before redirecting, and validate it to the redirected page and if there's no session, bring it back to the previous page.
I have already implemented this fix to add a .browser file to my webapp but it doesn't fix my problem. I also tried this answer from SO to add a Page_PreInit and a configuration but to no avail.
My IIS Configuration has enabled for both Session and Cookies, and I honestly do not see why it will only affect Safari Browser if it is a server configuration error.
I've been working on this bug for a whole day and I can't still fix this. Please help, thanks in advance.
Update: I forgot to mention that my website is inside an iframe, after researching further I have found this question that says that Safari doesn't allow Third-Party Cookie by default. Now I can't use the said fix since my application is in ASP.NET not in PHP.

Postback is not working in Safari in Windows 7

Our QA team reported that one of our applications is not working in Safari in Windows 7. After checking the problem we figured out that any postback event is not working. After some tries we found that Page.IsPostback() reports false and thinks it’s a first-time load of the page and postback did not include ViewState.
We tried many solutions including
ASP.Net postback problem with ViewState in Safari on Windows 7
Viewstate invalid when using Safari
ViewState Chunking in ASP.NET 2.0 (maxPageStateFieldLength)
but all didn't bring Safari to work.
There is nothing special about this application. It is normal pages that use one master page that is a very normal master page.
Any suggestions?
Safari has an issue when working with Windows Authentication under IIS if Negotiate provider is enabled so AJAX POST is not working.
How to resolve?
In IIS, go to the Authentication settings of your website. Right click on Windows Authentication, choose providers and remove Negotiate, leaving NTLM this makes everything works fine.
[References]
AJAX POST Request Only Works Once in Safari 5
Negotiate Mechanism article in Wikipedia shows that it is not implemented in Safari

Persistent cookie gets deleted when IE is closed. Works fine in Firefox and Chrome

I have an ASP.NET app which uses forms authentication with an option to persist cookie in the login screen. I am testing in local computer which means no web farms are used.
In Chrome and Firefox when I log in and persist cookie, then close the browser and then bring up the same page, I am already logged in. So far so good.
In IE however, when I load the same page after closing IE, I get the login screen instead of automatically being logged in. I checked the authentication cookie and noticed that the cookie is gone when I am in the login screen the second time. I see the cookie after logging in and I see it expires a month in the future. My guess the cookie gets deleted when IE closes. I don't know why this happens.
I have repeated this test several times. I see the authentication cookie after logging in but it's gone in the login screen.
"Empty temporary Internet Files Folder when browser is closed" is NOT checked in Tools->Advanced
I am using IE9 in IE8 standards mode in Windows 7 64bit.
Any ideas?
I didn't mention the fact the site uses https. In the test server where this issue occurred, I use a self-signed ssl certificate. When I installed my root authority cert, the problem seems to have gone. This issue happened in IE only.
There is a great blog from Erik Law about this. Check it for more details. Scroll down to section Troubleshooting Login Cookies. If you have specific question about anything, edit your question and let us know.

Session lost when opening IE window from application hosted in Outlook

An ASP.NET application (actually with Silverlight but it doesn't matter) is hosted in Outlook as folder home page. In this application there's a link to open popup window, which opens a separate IE window, not in Outlook.
The problem is that in this case it seems that ASP.NET session is lost. A call to ASP.NET service has nothing in Session and Session._id is different. I suspect that Outlook has different cookies than IE.
How do I preserve session when opening IE popup from Outlook? Maybe pass session id via URL somehow, or configure this in web.config?
Note that I don't want cookieless sessions.
I ran into this problem in the past and was never able to find a way around it since the browser in outlook is running under a totally different process and it's not even a typical IE environment. I had issues with pass through authentication as well if I recall.
When the same behavior is done in IE directly, it actually opens another window using the same session.
To recreate the process in IE that is occurring in Outlook just open an IE windown and go to your app. Then open a new IE window by clicking the shortcut (not spawning it from the current IE session) and copying and pasting a link into the address bar. This is essentially what Outlook is doing.
I would try passing the value of the user's ASP.NET_SessionId cookie in the url from Outlook, then on the page that's opened in IE check for that value on the url and duplicate the ASP.NET_SessionId cookie in the response before loading the page (perhaps in an IHttpModule before the session has even been loaded for the request).
I'm not 100% sure this would work in case ASP.NET has some built-in session hijacking security in place that would prevent you from manually duplicating the session cookie somehow, but that's where I would start.

Resources