Heads up re: 2019-12 Security and Quality Rollup for .Net Framework

For general questions and discussions specific to the AbleCommerce GOLD ASP.Net shopping cart software.
Post Reply
jguengerich
Commodore (COMO)
Commodore (COMO)
Posts: 435
Joined: Tue May 07, 2013 1:59 pm

Heads up re: 2019-12 Security and Quality Rollup for .Net Framework

Post by jguengerich » Wed Dec 11, 2019 4:47 pm

I applied the above listed Microsoft Update to my test server (Server 2008 R2, .Net 4.7.1, AC Gold R12 SR2). I use the CyberSource gateway, modified to use their Secure Acceptance (pages hosted on their servers) for credit card entry. When the customer finishes entering their info (or cancels), you can set which web page on your site you want them to come back to. After applying this patch, the session id and authentication cookies (ACGOLD.SESSIONID and ACGOLD.ASPXAUTH) were not getting requested on the return to my web site. After researching the problem, it is related to the new(ish) "Same Site" cookie processing that is used to help prevent cross-site scripting attacks. The solution was to modify a few lines in the <system.web> section of my web.config as follows:

Code: Select all

    <httpCookies requireSSL="true"/>
    <authentication mode="Forms">
      <!-- added cookieSameSite="None" so return from SecureAcceptance will work after Dec. 2019 .Net update -->
      <forms timeout="15" slidingExpiration="true" name="ACGOLD.ASPXAUTH" requireSSL="true" cookieSameSite="None"/>
    </authentication>
    <!-- added cookieSameSite="None" so return from SecureAcceptance will work after Dec. 2019 .Net update -->
    <sessionState mode="InProc" timeout="15" cookieName="ACGOLD.SESSIONID" cookieSameSite="None"/>
It seemed to work after only changing the ASPXAUTH cookie setting, but I changed the other one as well to keep things consistent. The requireSSL settings weren't related to this problem, but I included them above because I don't think they were in the original AC - supplied web.config.

This will probably only affect you if you are also sending users to externally hosted pages while they are logged in to their account.
Jay

Post Reply