Coming soon: Your brand new Help Center & Community! Get a sneak-peek here

MVC Custom App: Session reset on RedirectToAction

Hello,

If we set up our new custom App in "GUI - Web panel" list with the option "Navigator button" to open the app site in a new browser tab, it functions properly.

If we try to configure it as "Web panel on SuperOffice button", we get an error "too many redirections".

During debugging the app we have found out, the Session is resetting automatically on each new RedirectToAction (Session_Start() in Global.asax) and we lose our session varibles.

Has anyone had this problem? What could be a solution here?

 

Thank you very much in advance,
Andrey

RE: MVC Custom App: Session reset on RedirectToAction

Hi Andrey,

Sounds an awefully lot like a cookies problem. There's been quite a bit of web development chatter this year concerning samesite cookies after google updated Chrome in v80 to be more secure. For iFramed applications, you have to explicitly set your cookie samesite policy. 

If you are using MVC 5 (which is seems with mention of a global.asax), I beleive you will be OK with setting your sessionState element as:

<sessionState cookieSameSite="None" timeout="60" />

 Hope this helps!

Af: Tony Yates 11. aug 2020

RE: MVC Custom App: Session reset on RedirectToAction

I tested it now with SuperOffice.DevNet.Online.OpenIDCodeFlow.MVC app from Github (last version from 05/26). Same behavior here. Starting the app in a webpanel ends in the error caused by losing the session on redirect.

Starting the app in a new browser, everything works fine.

Session[“state”] seems to be ok  at  HomeController->Index:

Starting the OAuth 2 flow resetting the Session automatically before callback:

After that the Session is empty, Session[“state”] is null:

And it comes to the exception “OAuth State mismatch”.

I set up the App Domain of IIS to don't stop to avoid a session reset, and it helps if the app starts in separately tab.

I would be grateful for any help!

 

Af: Andrey Stupak 11. aug 2020

RE: MVC Custom App: Session reset on RedirectToAction

Hello Tony,
thank you very much for your quick responce.

I tested it in both our app

and Github example


Unfortunately it didn't helped, the session is still resetted on callback.

 

Update:

Tested it with Firefox and Edge, all works fine. It is really a Chrome problem.
Tony, many thanks for your help!

cheers,
Andrey

 

 

Af: Andrey Stupak 11. aug 2020

RE: MVC Custom App: Session reset on RedirectToAction

Hello,

Note that the changes related to SameSite are also coming to Firefox: https://hacks.mozilla.org/2020/08/changes-to-samesite-cookie-behavior/ same goes for Chromium Edge: https://docs.microsoft.com/en-us/microsoft-edge/web-platform/site-impacting-changes

So eventually you will hit this issue in any modern browser.

Note: Your cookies that you mark as sameSite = None should also be marked as Secure (and your connection should be over https), othewise Chrome will still reject them. You can see warnings/errors about this in the browser console.

Af: David Hollegien 11. aug 2020

RE: MVC Custom App: Session reset on RedirectToAction

Thank you David,

this parameters in Web.config helped to solve the problem with the session:

Af: Andrey Stupak 11. aug 2020