3

We are facing issue related to samesite=none cookie being ignored by chrome in incognito mode.

Details: We are trying to open an asp.net webform application inside an iframe from our another application, both the applications are on subdomains of our main domain.

In this setup, when we try to open application having iframe (app which embeds our asp.net application in iframe) in chrome's incognito window, then we see asp.net session cookie getting blocked with this error:

see error at right side below warning icon

You can see here cookie is being responded with samesite as none as is marked as secured cookie, still chrome blocks them. I have read many on this like these, but still I understand there is NO solution to this?.

  1. chrome blocking the cookies even with samesite=None
  2. ASP.NET MVC Session gets reset after using RedirectToAction within iframe

Is this correct or Is there any solution to this?

If not what would you advise us to do to handle it gracefully? Shall we find out from code if cookie got set or not and if not then show a meaningful message to user informing some/most of features will be missing/non-functional and convey to switch to Non-Incognito mode if they want full features, or it seems bad enough from usability angle?

Thanks...

LearningNeverEnds
  • 374
  • 1
  • 3
  • 22
  • Have you [enabled third party cookies](https://support.cloudhq.net/how-to-enable-3rd-party-cookies-in-google-chrome-browser/)? – John Wu Mar 22 '21 at 17:56
  • @JohnWu - Thank you. While we know enabling them will allow us to be able to set samesite=none cookies in chrome incognito, but as we can't ask all our customers to do same, hence was looking for any direction/solution/workaround which we can do from our application side, without needing any change in browser setting from customer's end. Any idea on such if possible in anyways? – LearningNeverEnds Mar 23 '21 at 03:28
  • 1
    as a follow up on my question, this is what we finally did. Concluded there is no way to do what we wanted to with login happening from with in iframe window, so changed approach and switched from opening login in iframe to opening in new browser tab and then relying on "postMessage" to communicate back to parent to inform login was done and give back needed info for parent to set cookie for. – LearningNeverEnds Oct 01 '21 at 10:58

0 Answers0