Webmail Session Timeout after Dec 2019 Windows Update

Raise/discuss any potential issues with MailEnable for consideration in project issue register.
Post Reply
capvar
Posts: 5
Joined: Fri Jun 21, 2019 9:24 pm

Webmail Session Timeout after Dec 2019 Windows Update

Post by capvar » Mon Dec 16, 2019 8:19 pm

We used to load the webmail interface in an iframe, in many tailormade web based CRMs, providing login/pass via URL parameters.
It worked fine until today. After latest 10 Dec 2019 Windows Update (on Server 2012) we get a session timeout message as soon as the iframe loads.
The problem occurs only in the iframe, if we use the same url in a new browser window it works fine.
Tested many browsers, computers and CRMs, on the same server, same result.

We tried some configurations regarding the session timeout thing (like setting the process number to 1) which didn't help.

capvar
Posts: 5
Joined: Fri Jun 21, 2019 9:24 pm

Re: Webmail Session Timeout after Dec 2019 Windows Update

Post by capvar » Tue Dec 17, 2019 6:24 am

Further investigation in the updates reveals:

https://support.microsoft.com/en-us/help/4533010/kb4533010
ASP.NET now emits a SameSite cookie header when HttpCookie.SameSite value is "None" to accommodate upcoming changes to SameSite cookie handling in Chrome. As part of this change, FormsAuth and SessionState cookies are also issued with SameSite = 'Lax' instead of the previous default of 'None', though these values can be overridden in web.config.

For more information, refer to: https://docs.microsoft.com/en-us/aspnet/samesite/system-web-samesite.
I suppose the problem is hidden here, using webmail in the iframe involves cross site cookies handle (to manage the session)

Adding code below in web.config for MEwebmail solves the problem
<rewrite>
<outboundRules>
<rule name="Add SameSite" preCondition="No SameSite">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; SameSite=none" />
<conditions>
</conditions>
</rule>
<preConditions>
<preCondition name="No SameSite">
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=none" negate="true" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>

Varshasoni
Posts: 2
Joined: Fri Jan 17, 2020 8:00 am

Re: Webmail Session Timeout after Dec 2019 Windows Update

Post by Varshasoni » Fri Jan 17, 2020 8:03 am

Can someone please tell which kb us causing this session timeout issue in iframe because i am having the same problem after December install

Varshasoni
Posts: 2
Joined: Fri Jan 17, 2020 8:00 am

Re: Webmail Session Timeout after Dec 2019 Windows Update

Post by Varshasoni » Fri Jan 17, 2020 8:10 am

Can you please tell which KB is causing this issue ?

Post Reply