在 ASP.NET MVC 中重定向到第 3 方 URL 后如何维护会话？

Question

Before the actual redirection to 3rd party url we are basically storing the user's session id, userid etc in Session so while we return back to our return url for posting data of payment gateway then we will need to update the status by retrieving the user's session, here at this point our session gets cleared/null. This is happening in Chrome for version above 84. Because I am able to maintain users session after redirection also in Firefox browser. I also want to do the same irrespective of chrome versions. How do I maintain session of each user after redirection?

Notes:

1. I have tried dictionary by declaring it globally and filling values in it before redirect. But that also get error that key not found after post bck to return url.
2. I have tried session by storing user's info against the txnid that I send to 3rd party url and it sends us back to return url and that gets null.
3. Cannot store session for each user in database as it will created prob and have load to db.

Any other options to try. Please help. I am using ASP.NET MVC.

Answer 1

You need to set a SameSite cookie policy .

Chrome enforces the new SameSite cookie rules more stringently than Firefox, but Firefox will soon behave the same as Chrome .

The exact SameSite option you should use depends on the type of redirection:

• If the redirection is a HTTP 3xx redirection using GET or POST and all requests are over HTTPS then you can use SameSite=None .
• If the "redirection" is initiated by a client-side <meta> element or JavaScript using window.location = 'newUrl' then you can use SameSite=None .
• If the redirection is a HTTP 3xx redirection using GET and not all requests are over HTTPS then you can use SameSite=Lax .
• If the redirection is a HTTP 3xx redirection using POST and not all requests are over HTTPS then there is no quick-fix: you will need to use HTTPS for all requests.

The SameSite option was added to ASP.NET WebForms and ASP.NET MVC in .NET Framework 4.7.2, though you should be using .NET Framework 4.8. If you cannot update your project to .NET Framework 4.7.2 or later then you can use a trick with IIS' <rewrite> rules to modify response Set-Cookie requests .

---

You can configure defaults for SameSite in your web.config file , but you'll need to update a couple of different locations:

• Specify <system.web><httpCookies sameSite="Strict|Lax|None|Unspecified" /> for when you use HttpCookie directly.
• Specify <system.web><sessionState cookieSameSite="Strict|Lax|None" /> for ASP.NET's own Session cookie ( this is the OP's problem ).
  • Note that you cannot specify Unspecified for <sessionState> - but you should never use Unspecified so that shouldn't be an issue ( Unspecified is only needed if you need to support iOS 12 because Apple Safari did not recognize SameSite=None at the time, but no-one should be using iOS 12 today).