By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

ASP.NET Authentication not working for newer ELB environments.

0

Hello, we have been experiencing a problem with an Android application of ours that works as a client for an ELB ASP.NET application. Our application uses ASP.NET authentication (sessions are stored in SQL Server, "ASPStateTempSessions" table) and works as expected when using any regular browser (Chrome, Firefox): one cookie session becomes a single table record.

In our Android app instead, we get an "expired session" error every time. We have noticed that one single login attempt results in around ten table records at SQL Server, our guess is that cookies are somehow being rejected and a new ASP.NET_SessionId cookie is generated each time (the id's at the database shows it's so). The login process is fairly simple: Android sends a couple of HTTP/Ajax requests to the ASP.NET application, which in turns authenticates against a database and returns an ASP.NET session.

Now the thing is that this was working perfectly, and still is for older ELB environments. Each time we clone an old environment we can't get authentication to work. We've notice that, despite the new environment was cloned, Windows versions differ:
old working environment, created 6 months ago, EC2 windows server 2016 version is build 14393.3204
new non-working cloned environment, created 2 months ago, EC2 windows server 2016 version is build 14393.3504
note: the Windows Updates installed for each environment are also different

We believe it could a problem with cookies and Windows patches as seen here
https://stackoverflow.com/questions/59427488/patch-iis-kb4533011-december-2019-aws-elb-sticky-problem

We have tried everything we could think of, we set/unset the 'SameSite' attribute, tweaked Load Balancer's parameters, used HTTP instead of HTTPS, recompiled our Android app, but the login procedure does not work in the new environment, when we switch to the old one, works as a charm.

We will investigate if there's some upgrade to the Cordova tools, but still, what could make the new ELB environment fail, especially considering the old one works fine?

Topics
Networking & Content Delivery
Tags
Elastic Load Balancing
Language
English
SoporteAddentra
asked 4 years ago433 views
1 Answer
0

Hello, we found the answer ourselves, luckily. It seems that ElasticBeansTalk/IIS is setting the "SameSecure=Lax" attribute automatically for all session cookies. So it seems that "ASP.NET_SessionId" has this new attribute and WebView-Cordova cannot handle it. Older EBS/IIS versions do not behave this way.

The solution was to disable the samesite attribute at the "void Session_Start(object sender, EventArgs e)" procedure when Android is being used, as seen here:

https://techcommunity.microsoft.com/t5/iis-support-blog/samesite-in-code-for-your-asp-net-applications/ba-p/1156361

Hope this helps someone else.

SoporteAddentra
answered 4 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content