3,600 questions
Instead of cookies you should use bearer tokens, typically jwt tokens. This is easier with a SPA like app, but you could use session storage to do a MPA.
How to embed asp.net mvc app into CORS website - we used IFRAME before
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 1%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
camos.ms
21
Reputation points
Hi together,
We are working on an asp.net mvc (.net framework version 4.8) application that serves a HTML frontend for our companies' backend process. The application start uses the POST-REDIRECT-GET pattern. Later on, XMLHttpRequest exchanging Json data in both directions.
Today the app either occupies the browsers whole window or is embedded into an IFRAME. When running in IFRAME, the domains are in no relation so CORS comes into play.
Starting with Safari 13, the IFRAME solution stopped working on apple devices. Reason for that is that Safari 13 (ff) blocks CORS cookies in IFRAME and the SessionID is not transmitted back: the IFRAME sends the initial startup request, the asp.net answers the starting page and a "Set-Cookie: SessionID=xyz" HTTP header. But later, safari will not reply this SessionID with succeeding HTTP requests and so the mvc app is not working.
On the other hand, some of our customers complained before, that the IFRAME technology is outdated and we need to change to modern technology. Therefore, we want to change to maybe WebComponent and ShadowDOM.
However, in this scenario, I got exactly the same problem. The outer page runs in domain 'a.org' and executes a <custom-frontend> HTML instruction. This attaches a shadow DOM and connects to the asp.net running in domain 'b.com' server via XMLHttpRequest. To my knowledge, the only way to communicate with the asp.net is XMLHttpRequest (or the fetch API - which, to my knowledge, has no conceptional benefit).
I found no way to enforce the browser to extract the SessionID cookie from the initial request and use it in later XMLHttpRequest requests.
In addition, this problem is significant for other cookies too. Our application is used to run in HA load balanced environments: OSI level 7 load balancer are adding cookies too. I think they will not operate either.
Do you have any solution or hint, which direction I should investigate into?
Any help is highly appreciated.
Thank you in advance.
Developer technologies | ASP.NET | Other
{count} votes
-
AgaveJoe 30,126 Reputation points2021-07-26T12:09:20.343+00:00 The standard solution is Web API to handle business logic and data access and MVC to handle the UI. Your customers have the option to use your hosted MVC application or write their own UI while using your Web API services.
I found no way to enforce the browser to extract the SessionID cookie from the initial request and use it in later XMLHttpRequest requests.
Session cookie have never been available to JavaScript. What exactly are you trying to do? Is there any way you can share a code sample that illustrates the issue(s)?
In addition, this problem is significant for other cookies too. Our application is used to run in HA load balanced environments: OSI level 7 load balancer are adding cookies too. I think they will not operate either.
Browsers send cookies in the HTTP request header to the same domain that created the cookie. Cookies work with load balancers because the cookie is part of the HTTP message. ASP.NET in-proc Session data, on the other hand, is stored in a web server's memory and does not work well with load balancers. The standard solution is to configure the load balancers for sticky session so the requests goes to the web server that contains the session data. Another option is storing Session in a central location like a SQL server or distributed cache.
It seems to me that all you have to do is create a standard distributed web application.
Sign in to comment
Accepted answer
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 61%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
Bruce (SqlWork.com) 77,766 Reputation points Volunteer Moderator2021-07-26T14:57:48.973+00:00 -
camos.ms 21 Reputation points
2021-07-26T16:15:02.097+00:00 @Bruce (SqlWork.com) Thank you for you answer.
I think it's time to switch to .net core and handle the session the bearer token way - as you suggested. Can you please tell me: what is good and safe practice to do so? The bearer token is transfered inside HTTP header, right? What's the suggested way to deal with the token in JavaScript? Using the Fetch API, reading the bearer header, keeping in JS variable and sending back to the server with each Fetch? Is this the right way? Thank you again.
-
Bruce (SqlWork.com) 77,766 Reputation points Volunteer Moderator
2021-07-26T17:21:14.327+00:00 The key decision is how the client will login to get the token. You can supply a webapi that is passed a user and password, and returns token, or you can use an oauth library.
Sign in to comment -
1 additional answer
Sort by: Most helpful
-
Bruce (SqlWork.com) 77,766 Reputation points Volunteer Moderator
2021-07-27T15:51:35.02+00:00 it depends on needs. There are oauth/jwt client libraries for javascript. It is common to store the refresh token in local storage. you can use fetch, jquery or axios to pass the bearer token, its just a header.
how do users authenticate now? is it a login page? are you going to switch to a SPA type app? These answer will determine how the client script get the token, and how it needs to be stored locally.