Logi Info Forum Threads    >    Posts


SameSite cookie attribute impacts embedded Logi applications

Joe Viscome
United States

 Logi Team
10 Jan 2020 04:11 PM
   
This thread has been resolved and is closed.
All Versions   .NET app   1,771 views   


With recent Windows updates, Microsoft has begun rolling out a change to the default SameSite cookie behavior under IIS. With this change, when the SameSite attribute has not been set, the attribute will be passed as ‘Lax’, instead of the previous default of ‘None’.

The SameSite cookie attribute clarifies access rights for your application and its underlying cookies. More information regarding this attribute and cookies in general can be found in the following article: https://web.dev/samesite-cookies-explained/

This attribute can cause an issue if a Logi Info, Logi SSM, or Logi Ad Hoc application is embedded in other web applications using an iframe, including the EmbeddedAPI, and the Logi application URL is from a different domain than the parent application. Depending on how the SameSite cookie attribute is set under the Logi web application, and how the web browser enforces policies for the SameSite cookie attribute, cookies may not persist in the browser for the Logi web application. Most notably, this can prevent the Session cookie, ASP.NET_SessionId in a .Net application, from being retained in the browser, causing a loss of session state, including authentication in the embedded application. If the Logi application is using SecureKey, then any request to the server may result in the following error: “Unable to authenticate the user. Missing rdSecureKey parameter.” If you are not using SecureKey authentication your error message(s) may be different. 

For current browser and server behavior regarding the SameSite cookie attribute, setting the Logi application cookies with SameSite=”None” should revert to previous behavior. This change can be made in the web.config of the Logi Info application.

To set the SameSite attribute for the Session cookie, add the attribute cookieSameSite="None" on the sessionState element inside <system.web></system.web>. If you are not currently using a sessionState element, we would recommend using a commented out version in the web.config file like the one below.  The other attributes in the sessionState element should be configured for your deployment scenario.

<sessionState mode="InProc" cookieless="false" cookieSameSite="None" />

For all other cookies, add the attribute sameSite="None" on the httpCookies element. The Logi web.config may already have this element, if it does not, it can be added immediately after the sessionState element, inside <system.web></system.web>.

<httpCookies sameSite="None" httpOnlyCookies="true" />

If you experience these symptoms in your embedded application and changes to the web.config do not resolve the issue, please reach out to Logi Support via the Support Portal so we may assist in further diagnosing the issue.

Contact

United States
7900 Westpark Drive
Suite A200
McLean
Virginia, 22102
1-888-564-4965
[email protected]

United Kingdom
Scott House
The Concourse
Waterloo Station
London, SE1 7LY
020 3103 0306
[email protected]

Ireland
20 Harcourt Street
Suite 10
Dublin
D02 H364
3531 400 7506


© Copyright 2020 Logi Analytics, Inc. All Rights Reserved           |          Contact DevNet          |          Site FAQs          |          Terms of Use          |          LogiAnalytics.com