After installing Windows update the session in HttpHandler does not work properly

Question

After installing Windows update 2020—KB4534273 and 2020-KB4535101 session in HttpHandler does not work properly.

For SAML2 authentication, when processing a response on the SP side, I verify the response versus the sent request. However, when processing an update after installing an update, I do not have an available session. IDP is https, SP http.

My handler implementing interface IRequiresSessionState public class Saml2Handler : IHttpHandler, IRequiresSessionState

The solution had worked before...

Answer 1

See the known issues in this Microsoft article: https://learn.microsoft.com/en-us/aspnet/samesite/system-web-samesite#known-issues

We had a similar issue after patching our servers, and it was related to the change to SameSite cookie handling and sessionState in the .NET Framework.

Our scenario was this - user arrives unauthenticated, we set a value in session, redirect them to an external site to authenticate, after which the user is sent back to our site via HTTP POST. It was the fact they were coming back on a POST that caused the issue.

We found a couple workarounds:

1. Revert to pre-patch cookie behavior (https://learn.microsoft.com/en-us/aspnet/samesite/system-web-samesite#reverting-net-472-behavior)
2. Keep the new cookie setting for sessionState and manually set a cookie (this has the advantage of keeping the new recommended default security settings on the session cookie)

    context.Response.AddHeader("set-cookie", $"cookiename=cookievalue; path=/; SameSite=None; Secure");

We went with option #2