Browser won't set ASP.NET_SessionId cookie on payment gateway's post request to our site

Question

We\'re experiencing a weird problem with the payment process of our web application which results in loss of session data.

In this process, after our check-out page

Answer 1

We figured it out.

Somehow "ASP.NET_SessionId" cookie's "SameSite" attribute defaults to "Lax" and this causes session cookie not being added to the request that made by payment gateway's javascript code.

We added following rule to the web.config file in order to override this value and set it to "None".

UPDATE 1: Just adding above configuration solved the problem for modern browsers but we realized that we were still having issues with older versions of Micosoft Edge and Internet Explorer.

So we needed to add cookieSameSite="None" attribute to sessionState node in web.config file.

Be careful with this configuration change though, as older .net framework versions do not support it and cause your site to display error page.

By the way we're still having issues with browsers in IOS 12. But I think it's related to this confirmed bug

UPDATE 2: see zemien's answer for possible fix about IOS issue

UPDATE 3: By combining our findings with the suggestions in zemien's answer we've come up with the following rewrite rules. We've been using this configuration in production. But beware: it marks all the cookies with "SameSite:None" attribute for compatible browsers and excludes SameSite attribute, if exists, for incompatible browsers. It may seem complicated but I tried to explain via comment lines.

This is the FINAL configuration we use in production: