问题
Occasionally on submitting a payment form in an iframe, the postback from the payment gateway results in the user being logged out as the request is missing the ASP.NET_SessionId cookie (we are using state-server). It's not the app pool recycling causing the issue as I have checked those logs. It also only happens in the production environment. I can see the session cookie exists just before the form is submitted so I can't figure out where it is losing it.
回答1:
You need to check if you are not affected by the KB4524420 which has recently been rolled out:
ASP.NET will now emit a SameSite cookie header when HttpCookie.SameSite value is "None" to accommodate upcoming changes to SameSite cookie handling in Chrome. As part of this change, FormsAuth and SessionState cookies will also be issued with SameSite = 'Lax' instead of the previous default of 'None', though these values can be overridden in web.config.
You have to set the cookieSameSite= "None" in the session state tag to avoid this issue.
<sessionState cookieSameSite="None" cookieless="false" timeout="360">
</sessionState>
However this will break Safari in certain cases (iOS prior to v13 and Safari in MacOS) so you might want to consider adding two cookies, one with SameSite=None and one without specifying any value for SameSite). This is due to a bug in Safari which makes SameSite=None to become SameSite=Strict.
来源:https://stackoverflow.com/questions/59757175/iframe-occasionally-loses-session-cookies