Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

ASP.NET MVC Session gets reset after using RedirectToAction within iframe

I have an ASP.NET MVC application (say, App_A) and another ASP.NET application (say, App_B). App_B has an iframe that loads App_A within it.

The code on App_B looks something like this: iframe.Attributes["src"] = frameURL; where frameURL is a variable containing a link to App_A.

When the iframe loads the URL and the index() method on App_A gets invoked, I'm setting a value in session Session["CartID"] = 373895 and I'm using RedirectToAction("Shipping"). But within the Shipping() action method, the session seems to be null. The code that sets the session variable and calls RedirectToAction() are within the iframe.

A similar issue that I encountered previously on Safari browser:

This has been working fine for the past 2 years without any issues. Previously, I was only having CORS issue on Safari browser. Since the websites on the parent window and the iframe were from different domains, I was not able to retain session values within iframe after redirection as it was getting reset. To fix this on Safari, I had to load the iframe site (App_A) on the parent window, set a cookie and then redirect back to the parent website and load App_A within iframe again. This allowed me to retain session values even after redirection. Now that I have a similar issue on Chrome, Firefox and Microsoft Edge, I tried the same fix that worked for Safari (as described above) but I'm still unable to retain session values on Chrome and other browsers.

Some debug information:

I tried debugging this and I added Session_Start() method to the Global.asax file and it gets hit twice, once before and once after calling RedirectToAction("Shipping"). The SessionID is also different before and after calling RedirectToAction("Shipping").

This issue occurs only when I run App_A from my local machine. When I try it in our production site, it works fine without any issues. Also, when I load App_A on the parent window, it retains session values without any issues. That is, on App_B I replaced storefrontiframe.Attributes["src"] = frameURL; with Response.Redirect(frameURL); and when App_A gets loaded on a new window, the session values are being retained without any issues.

I'm not sure why my session values are being cleared all of a sudden after calling RedirectToAction(). Any help would be greatly appreciated.

like image 536
Vignesh K Avatar asked Dec 30 '19 12:12

Vignesh K


People also ask

Does session work in iFrame?

The Session objects are not retrieved when the page is in an iFrame (Session["blah"] is null). This code works perfectly when the page is not in an iFrame.

How can change session timeout in ASP.NET MVC?

Open the web. config file, then increase the value in minutes by using the time out attribute of SessionState element. By default, the session timeout value is 20 minutes. Also in your case if you are using forms authentication, please check the timeout value.

Why session is null in MVC?

Why is Session null in the constructors of Controllers? It can be accessed from Action methods. Presumably, because the MVC Routing framework is responsible for newing-up a Controller, it just hasn't (re-)instantiated the Session at that point.


1 Answers

I had a similar problem and was able to solve it by adding a "cookieSameSite" attribute with "None" as value to the sessionState node in the Web.config. Something like this:

<sessionState cookieSameSite="None" timeout="60" />
like image 178
Javier Molina Avatar answered Oct 16 '22 09:10

Javier Molina