ComponentSpace

Forums



ASP Net Session changes while validation


ASP Net Session changes while validation

Author
Message
Gowtham
Gowtham
New Member
New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)

Group: Forum Members
Posts: 5, Visits: 10
Hi Team,

We have already authenticated the user with the InitiateSSO() with the username and password, and now consider we have Asp net session id as "something" and now we are trying to validate the user once again. At this point, our expectation is that the session id should not be changed even after entering the username and password as the user is already logged in and this is just for validation purpose. But new session id is created in Session_Start() say "somethingnew" . 

Is there any way to prevent changing the asp net session id as the user has already logged in and is just trying to validate once again.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
This may be related to the Chrome SameSite=None changes. By default, the ASP.NET session cookie won't be included when the SAML response is sent to the service provider.

Please take a look at the following forum post.

https://www.componentspace.com/Forums/10511/SAML-Cookie-SameSite-Mode-None

If everything is working except the ASP.NET session ID changes as part of SSO, I suspect this is the issue.

The section "What to do if using SAML Library releases from v2.5.0 but earlier than v3.0.0" describes how to configure web.config so the ASP.NET_SessionId cookie has the correct settings. This is true regardless of what version of the SAML library you're using. Just be aware of the incompatibility issues with some older browsers.

Regards
ComponentSpace Development
Gowtham
Gowtham
New Member
New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)

Group: Forum Members
Posts: 5, Visits: 10
ComponentSpace - 3/24/2020
This may be related to the Chrome SameSite=None changes. By default, the ASP.NET session cookie won't be included when the SAML response is sent to the service provider.

Please take a look at the following forum post.

https://www.componentspace.com/Forums/10511/SAML-Cookie-SameSite-Mode-None

If everything is working except the ASP.NET session ID changes as part of SSO, I suspect this is the issue.

The section "What to do if using SAML Library releases from v2.5.0 but earlier than v3.0.0" describes how to configure web.config so the ASP.NET_SessionId cookie has the correct settings. This is true regardless of what version of the SAML library you're using. Just be aware of the incompatibility issues with some older browsers.

Hi Thanks for the immediate response.

You have given a solution for Chrome browser, but this issue is tested and occurs in Chrome, Firefox and IE11.
Please let me know how to proceed.

Regards,
Gowtham C
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Using the developer tools for Firefox or IE, capture the network traffic.

Take a look at the ASP.NET_SessionId cookie to see when it's set and when it's included in the HTTP request by the browser.

If this cookie is not included with the HTTP Post of the SAML response to your assertion consumer service endpoint, this is most likely the issue and you should try the settings suggested.

If this cookie is included with the HTTP Post, it must be a different issue.

Regards
ComponentSpace Development
Gowtham
Gowtham
New Member
New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)

Group: Forum Members
Posts: 5, Visits: 10
ComponentSpace - 3/25/2020
Using the developer tools for Firefox or IE, capture the network traffic.

Take a look at the ASP.NET_SessionId cookie to see when it's set and when it's included in the HTTP request by the browser.

If this cookie is not included with the HTTP Post of the SAML response to your assertion consumer service endpoint, this is most likely the issue and you should try the settings suggested.

If this cookie is included with the HTTP Post, it must be a different issue.

Hi team,

I took a look on the fiddler logs captured and noticed that there is no asp net session id cookie included in the saml response to assertion consumer url. So, may I know what should I do to make it work? Can I use this https://www.componentspace.com/Forums/10511/SAML-Cookie-SameSite-Mode-None so that it will also handle for IE and Firefox?

Regards,
Gowtham C
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
That's my suggestion.

Regards
ComponentSpace Development
Gowtham
Gowtham
New Member
New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)

Group: Forum Members
Posts: 5, Visits: 10
ComponentSpace - 3/25/2020
That's my suggestion.

Hi,

Thanks for the solution. This works as expected. I could see the same cookie now in the response. But one thing is, I could not see anything like this after the changes done.
set-cookie: ASP.NET_SessionId=2s2wesefh0cohv0ugctun4hl; path=/; secure; HttpOnly; SameSite=None
But I could see the same cookie in the response. Is this fine?
Also, issue still occurs with IE11 as samesite attribute is not supported. Can you please let me know on how to make this work in IE11?

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Did you see a set-cookie header for the ASP.NET_SessionId cookie? If so, what did you see?

This should work with IE11. Please use the IE11 browser developer tools and capture the network traffic to a HAR file. Send the HAR file as an email attachment to [email protected], mentioning your forum post, and we'll take a look. 

Regards
ComponentSpace Development
Gowtham
Gowtham
New Member
New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)

Group: Forum Members
Posts: 5, Visits: 10
ComponentSpace - 3/25/2020
Did you see a set-cookie header for the ASP.NET_SessionId cookie? If so, what did you see?

This should work with IE11. Please use the IE11 browser developer tools and capture the network traffic to a HAR file. Send the HAR file as an email attachment to [email protected], mentioning your forum post, and we'll take a look. 

Hi,

I could not see a set-cookie header, but I could see AspNetSessionId added in the response cookie.
And this fix works with IE11 too. Thanks for the assistance.

Regards,
Gowtham C
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
You're welcome. Thanks for the update.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 3 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search