.NET Webforms Site Not Working in an IFrame
Date: 6/15/2020 9:57:03 PM
I really recently had a client who needed their .NET Webforms site/app placed into an IFrame.
I know, "iframes", right? Ug! But it was a legitmate use case. Essentially the client's app is a home grown CRM and they needed it placed into their phone dialer's web app so that their phone agents could use the dialer and CRM apps together on a single screen. (And, yes, there is an API to be able to shuffle data back and forth, but the client really wanted to take advantage of the iframe to, at least initially, keep development costs low.
The strange thing was, the client's app would load in the iframe, the login screen appeared to be working, but on post back the user was returned right back to the login screen (within the iframe). System logged showed that the login attempts were working, and there were no console/javascript errors that lead to any sort of hints.
We spent an embarassing amount of time with the phone dialer's support and an even more embarrassing amount of time searching up and down Google, "C# Webforms site will not log in when in an external iframe".
It wasn't until I made a couple test html pages that I placed on the client's site (and also on another external site that I controlled), that I came to realize that the iframe's login worked internally, but not externally. So I set out inspecting the HTTP headers again, and then with Fiddler, but there was nothing related to SAMEORGIN or otherwise in the headers. Hmm, so back to more Googling.
AND THERE IT WAS -- In Microsoft KB4524420, in the .NET Framework Quality Rollup (4.6+) for Windows Server, Microsoft states, ASP.NET will now emit a SameSite cookie header when HttpCookie.SameSite value is "None" to accommodate upcoming changes to SameSite cookie handling in Chrome. As part of this change, FormsAuth and SessionState cookies will also be issued with SameSite = 'Lax' instead of the previous default of 'None', though these values can be overridden in web.config.
All it ended up being was adding cookieSameSite="None" in the web.config. Per usual - simple solution after two days of testing and digging.
Here's a more complete snippet:
<sessionState cookieSameSite="None" timeout="360"></sessionState>
Happy Coding!