WebGIS Discussions

Need a push in the right direction when configuring WebMap, Portal or SDI services? Looking for hints and tips, or just looking for Ideas and information? The WebGIS discussion board is where you start those discussions, connect and share information.
Showing results for 
Search instead for 
Do you mean 
Reply
Highlighted
Super Contributor
Posts: 457
Registered: ‎10-12-2015

Portal embedded in iframe with samesite change failure

Customer has an Geospatial Portal that is embedded in a contractors site within an iframe. Two seperate organisations, so involves cross site.

After customer applied Windows Server update KB4534271 (for Windows 2016, KB4534273 for Windows 2019) Contractor observed that the embedded portal session refreshed constantly and would not display. A similar setup within customers intranet continued to work fine.

See https://redmondmag.com/Articles/2020/01/28/SameSite-Cookie-Changes-Break-Apps.aspx?Page=2 for info on the windows server updates involved.

 

Issue is related to SameSite updates that is enabled in Chrome 80 (released 4 Feb) and being activated from 14 Feb. (And similar coming to other browsers such as firefox and edge in future)

https://www.chromium.org/updates/same-sitehttps://web.dev/samesite-cookies-explained/  

However you don't need to be on Chrome 80 deployed to observe the issue, contractor is on Chrome 79 and if KB4534271/KB4534273 has been deployed and issue is observed. i.e. just applying the Microsoft KB is changing something.

I'm speculating that when Chrome 80 does activate new SameSite settings on 14 Feb will likely also observe the issue regardless of whether KB4534271 has been deployed or not.

 

I have not been able to replicate to date, but possible workarounds depending on version of Geospatial Portal / IIS / .net:

i. Explicitely set sameSite config in web.config

Edit C:\Program Files\Common Files\Hexagon\Services\Instances\{YourGeospatialPortalSite}\Web.config
Locate <system.web> and add entry
<httpCookies sameSite="None" requireSSL="true"/>
samesite-iis-1.png
Restart IIS
Delete content of C:\Program Files\Common Files\Hexagon\Services\Instances\{YourGeospatialPortalSite}\App_Data\Cache\*
Delete C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\{YourGeospatialPortalSite}
Test
Note: Site will then only work over https. Site will fail to load over http. samesite="None" must be used over https (secure).

Could also try some variations if that does not work.

<httpCookies sameSite="Unspecified"/>

<httpCookies sameSite="Lax"/>

 

ii. Add an IIS URL Rewrite rule.

Customer worked out this one as their environment does not seem to support i. above at this time. (Portal 2018/Server 2016/older .net)

So far is working, customer would prefer i. though.

samesite-rewrite-rule.png

again might need to experiment with different settings of SameSite=lax vs SameSite=none;Secure and similar.

 

iii. Change IIS Session State to avoid cookies

(Untested by customer so not clear if would resolve).

The problem cookie seemed to be session state expiry/refresh. Given session state is controlled via IIS session state, one option is to switch from holding session state in cookie to URI.

That may lead to easier session spoofing though as the session id is exposed as part of the url - if trying this one check for any security implications, particularly if using authentication.

IIS-SessionState-URI.png

 

 

We would be interested to hear any alternatives / improvements to above. 

ie keeping to configuration only rather then using rewrite rules.

Would also be interested to hear if there are any impacts to Portal once chrome enables the updated samesite rules on 14 Feb.

Highlighted
Technical Evangelist
Posts: 563
Registered: ‎09-11-2015

Re: Portal embedded in iframe with samesite change failure

Hi Shaun,

 

I think there is nothing much to do on the server side as the SameSite is the browser's security policy. You can either disable it in the browser or "cheat" it by rewrite rule on the server which includes the portal into the iframe, exactly as you suggested. You can hardly do something with it on the portal server.

 

Pavel

Highlighted
Super Contributor
Posts: 457
Registered: ‎10-12-2015

Re: Portal embedded in iframe with samesite change failure

Hi Pravel,

 

I don't see the rewrite rule as "cheating". 

Rather it is a mechanism to choose which SameSite attribute to use. And as far as I am aware the Cookie SameSite attributes are set by the application.

e.g. if portal is going to be used by 'first party' only can set to Lax or Strict and optionally Secure. If being used by 'third-party context' (e.g. embeddeed in iframe) setting None and Secure. 

https://docs.microsoft.com/en-us/microsoftteams/platform/resources/samesite-cookie-update 

i.e. the portal application determines how portal can or can not be used by 3rd party context such as embedded iframe.

My take on it is the updated implementation by Chrome and the Microsoft KB essentially enforce 'first party' unless the application has specifically configured otherwise - which I assume portal is not doing.

I suspect a simple portal config needs to be added so portal administrator can determine portal cookie SameSite attribute, something like AllowThirdParty=true or false or perhaps even details of the SameSite attributes to use.

If portal is not already doing something with SameSite attribute I'll log a product idea.

 

Shaun

Highlighted
Super Contributor
Posts: 457
Registered: ‎10-12-2015

Re: Portal embedded in iframe with samesite change failure

For those using Windows Server 2012R2, the corresponding KB is KB4533011 https://support.microsoft.com/en-au/help/4533011/kb4533011 

"

ASP.NET now emits a SameSite cookie header when HttpCookie.SameSite value is "None" to accommodate upcoming changes to SameSite cookie handling in Chrome. As part of this change, FormsAuth and SessionState cookies  are also issued with SameSite = 'Lax' instead of the previous default of 'None', though these values can be overridden in web.config. Applications that use these cookies across sites – or with iframes – may see a loss of functionality that will require configuration updates to remedy.

"

And portal uses ASP.net SessionState (and typically FormsAuth I believe).

So applying update to web.config mentioned in option i. above should resolve for most, though I understand it is unavalable prior to .net framework 4.7.2 - https://docs.microsoft.com/en-us/aspnet/samesite/system-web-samesite.

So I'm picking if you are on .net prior to 4.7.2 you will need to use option ii or iii.

 

Highlighted
Super Contributor
Posts: 457
Registered: ‎10-12-2015

Re: Portal embedded in iframe with samesite change failure

A bit more detail for option ii. Add an IIS URL Rewrite rule.

 

Open C:\Program Files\Common Files\Hexagon\Services\Instances\YourPortalSite\web.config in notepad

Locate section <system.webServer> and paste in following

 

    <rewrite>

      <outboundRules>

        <clear />

        <rule name="Add SameSite" preCondition="No SameSite">

          <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />

          <action type="Rewrite" value="{R:0}; SameSite=None; Secure" />

          <!--<action type="Rewrite" value="{R:0}; SameSite=None" />-->

          <conditions>

          </conditions>

        </rule>

        <preConditions>

          <preCondition name="No SameSite">

            <add input="{RESPONSE_Set_Cookie}" pattern="." />

            <add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=*" />

          </preCondition>

        </preConditions>

      </outboundRules>

    </rewrite>

 

e.g.

rewriterule-web_config.png

 

Note: with above setup the geospatial portal site will not run under http any longer – will require https.

If try to run site using http site will continuously reload with session resuming flickering – same behaviour observed with embedded iframe.

Highlighted
Regular Visitor
Posts: 1
Registered: ‎01-14-2020

Re: Portal embedded in iframe with samesite change failure

Hi Shaun,

 

I had the same problem for a couple of months and this solution worked perfectly

 

At one costumer I had to install the IIS URL Rewrite extension to work (https://www.iis.net/downloads/microsoft/url-rewrite

)

Thanks a lot