Webmail Session Timeout after Dec 2019 Windows Update

Raise/discuss any potential issues with MailEnable for consideration in project issue register.
Post Reply
capvar
Posts: 13
Joined: Fri Jun 21, 2019 9:24 pm

Webmail Session Timeout after Dec 2019 Windows Update

Post by capvar »

We used to load the webmail interface in an iframe, in many tailormade web based CRMs, providing login/pass via URL parameters.
It worked fine until today. After latest 10 Dec 2019 Windows Update (on Server 2012) we get a session timeout message as soon as the iframe loads.
The problem occurs only in the iframe, if we use the same url in a new browser window it works fine.
Tested many browsers, computers and CRMs, on the same server, same result.

We tried some configurations regarding the session timeout thing (like setting the process number to 1) which didn't help.

capvar
Posts: 13
Joined: Fri Jun 21, 2019 9:24 pm

Re: Webmail Session Timeout after Dec 2019 Windows Update

Post by capvar »

Further investigation in the updates reveals:

https://support.microsoft.com/en-us/help/4533010/kb4533010
ASP.NET now emits a SameSite cookie header when HttpCookie.SameSite value is "None" to accommodate upcoming changes to SameSite cookie handling in Chrome. As part of this change, FormsAuth and SessionState cookies are also issued with SameSite = 'Lax' instead of the previous default of 'None', though these values can be overridden in web.config.

For more information, refer to: https://docs.microsoft.com/en-us/aspnet/samesite/system-web-samesite.
I suppose the problem is hidden here, using webmail in the iframe involves cross site cookies handle (to manage the session)

Adding code below in web.config for MEwebmail solves the problem
<rewrite>
<outboundRules>
<rule name="Add SameSite" preCondition="No SameSite">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; SameSite=none" />
<conditions>
</conditions>
</rule>
<preConditions>
<preCondition name="No SameSite">
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=none" negate="true" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>

Varshasoni
Posts: 2
Joined: Fri Jan 17, 2020 8:00 am

Re: Webmail Session Timeout after Dec 2019 Windows Update

Post by Varshasoni »

Can someone please tell which kb us causing this session timeout issue in iframe because i am having the same problem after December install

Varshasoni
Posts: 2
Joined: Fri Jan 17, 2020 8:00 am

Re: Webmail Session Timeout after Dec 2019 Windows Update

Post by Varshasoni »

Can you please tell which KB is causing this issue ?

capvar
Posts: 13
Joined: Fri Jun 21, 2019 9:24 pm

Re: Webmail Session Timeout after Dec 2019 Windows Update

Post by capvar »

You can find it at the url kb4533010

It is not simple to just uninstall this update because its security for all the Framework. Fix it the right way

Nexce19
Posts: 1
Joined: Sun May 17, 2020 2:20 pm
Location: https://epilators.co/best-epilator-2020/

Re: Webmail Session Timeout after Dec 2019 Windows Update

Post by Nexce19 »

Faced same issue, Just uninstall windows update and everything will be okay

capvar
Posts: 13
Joined: Fri Jun 21, 2019 9:24 pm

Re: Webmail Session Timeout after Dec 2019 Windows Update

Post by capvar »

Security updates are made for a reason... security.
It is a bad practice to compromise whole server security for some cookies issues.

Post Reply