Menu
not sure if I'm going crazy, but I am having issues with session state inside an iFrame. Its a simple setup of one domain inside another. I dont need to share anything across the domains, all I want to do is embed a website inside another website and I want that embedded site to be able to log in / edit / update / etc using cookies / session state.
To remove all the complexities of server farms / shared sql session state etc, I created a simple html page served up by IIS that simply has an iFrame tag inside of it that call my site. All loads and is great, but the moment I try and log in, I get stuck in an endless loop of log in screens as the session is re-created with each request and I get logged out etc...
What am I missing? was there some uber browser security upgrade that cam into effect recently?
Any guidance would be awesome.
PS. I've got the p3p headers in place
427
Just for those experiencing the same pain as me, it turn that a cumulative update from microsoft changed the default cooke behavior from SameSite=None -> SameSite=Lax.
https://support.microsoft.com/en-us/help/4533013/kb4533013-cumulative-update-for-net-framework
to fix and I believe this is just a temporary workaround ( Message in Chrome console -> A cookie associated with a cross-site resource at was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at and ), is to add this to your web.config
<sessionState cookieSameSite="None" ..other attributes here.. />
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With