问题
I have a asp.net site, which users can login and members can get report or print page by Ctrl+P.
Recently when my members open my site in IE and try to print, they are logged out!
why? because IE print dialog send some request to server without session cookie, so StateServer release new session for this client and then user logged out.
Why print dialog sent request? I don't know, but i guess IE print dialog try to renders page and ready it for print.
Why print dialog don't sent current session cookie? because new update of .net set SameSite=lax for session cookie, so requests from print dialog can't send current session cookie. https://support.microsoft.com/en-us/help/4524419/kb4524419
How can i prevent IE print dialog from send request? or how can i force IE print dialog to send same session cookie?
Any idea?
Edited: I create a sample project to show this problem. you can download my project and host on IIS, then open Default.Aspx and try to print that page in IE(or edge). You'll seen my problem. https://easyupload.io/w6vvpy
回答1:
I confirm the issue. For now as a workaround, the problem disappears once SameSite attribute gets removed. This is not optimal solution, but seems to work for now.
var cookies = this.Response.Cookies;
FormsAuthentication.SetAuthCookie( "JohnDoe", rememberMe );
var allCookies = cookies.AllKeys.Select( key => cookies[key] ).ToList();
allCookies.ForEach( cookie => cookie.SameSite = (SameSiteMode)(-1) );
In ASP.NET Core 3.0 and later the SameSite defaults were changed to avoid conflicting with inconsistent client defaults. The following APIs have changed the default from SameSiteMode.Lax to -1 to avoid emitting a SameSite attribute for these cookies
https://docs.microsoft.com/en-us/aspnet/core/security/samesite
The thing that we did was, created HttpModule which looks for cookies in the response and modifies them accordingly.
回答2:
I have reproduced the problem, it seems that when we print the page, it will call the DownloadHandler to load the image. At this time, since the session is null, so the image will not display.
To solve this issue, I suggest you could try to transfer the login status to DownloadHandler using the QueryString method, instead of using the session state.
Please try to modify your code as below:
Default.aspx
<img src="" runat="server" id="image" />
Default.aspx.cs
protected void Page_Load(object sender, EventArgs e)
{
//check whether user login or not
if (Session["LoginOK"] != null)
{
this.Title = "SessionID: " + Session.SessionID;
//set the image control resource according the session value.
image.Src = "./DownloadHandler.ashx?LoginOK=" + Session["LoginOK"].ToString();
}
else
{
//redirect to the login page
//after that, set the session value.
Session["LoginOK"] = true;
image.Src = "./DownloadHandler.ashx?LoginOK=true";
}
}
DownloadHandler:
bool.TryParse(context.Request.QueryString["LoginOK"]?.ToString(), out bool hasAccess);
if (!hasAccess)
{
context.Response.Redirect("./Error.aspx");
return;
}
Using the above code, when click the print option, it also sends a request to DownLoadHandler, but we could according the query string to load image. After printing the web page, we could still use the session["LoginOK"] in the main page (Default)(If the session is not expired).
回答3:
Found the fix:
You have to set the cookieSameSite= "None" in the session state tag to avoid this issue. I've tried this and working well in all browsers.
<sessionState cookieSameSite="None" cookieless="false" timeout="360">
</sessionState>
来源:https://stackoverflow.com/questions/59151616/ie-or-edge-print-dialog-box-send-request-to-server-without-session-because-same