ASP.NET Authentication not working for newer ELB environments.


Hello, we have been experiencing a problem with an Android application of ours that works as a client for an ELB ASP.NET application. Our application uses ASP.NET authentication (sessions are stored in SQL Server, "ASPStateTempSessions" table) and works as expected when using any regular browser (Chrome, Firefox): one cookie session becomes a single table record.

In our Android app instead, we get an "expired session" error every time. We have noticed that one single login attempt results in around ten table records at SQL Server, our guess is that cookies are somehow being rejected and a new ASP.NET_SessionId cookie is generated each time (the id's at the database shows it's so). The login process is fairly simple: Android sends a couple of HTTP/Ajax requests to the ASP.NET application, which in turns authenticates against a database and returns an ASP.NET session.

Now the thing is that this was working perfectly, and still is for older ELB environments. Each time we clone an old environment we can't get authentication to work. We've notice that, despite the new environment was cloned, Windows versions differ:
old working environment, created 6 months ago, EC2 windows server 2016 version is build 14393.3204
new non-working cloned environment, created 2 months ago, EC2 windows server 2016 version is build 14393.3504
note: the Windows Updates installed for each environment are also different

We believe it could a problem with cookies and Windows patches as seen here

We have tried everything we could think of, we set/unset the 'SameSite' attribute, tweaked Load Balancer's parameters, used HTTP instead of HTTPS, recompiled our Android app, but the login procedure does not work in the new environment, when we switch to the old one, works as a charm.

We will investigate if there's some upgrade to the Cordova tools, but still, what could make the new ELB environment fail, especially considering the old one works fine?

質問済み 4年前486ビュー

Hello, we found the answer ourselves, luckily. It seems that ElasticBeansTalk/IIS is setting the "SameSecure=Lax" attribute automatically for all session cookies. So it seems that "ASP.NET_SessionId" has this new attribute and WebView-Cordova cannot handle it. Older EBS/IIS versions do not behave this way.

The solution was to disable the samesite attribute at the "void Session_Start(object sender, EventArgs e)" procedure when Android is being used, as seen here:

Hope this helps someone else.

回答済み 4年前

ログインしていません。 ログイン 回答を投稿する。