why Request.IsAuthenticated is false in callback gateway?

[mansour-nazifi]

hi
When the user logs in dnn, the value of the Request.IsAuthenticated is true
As soon as the user connects to the banking portal gateway and returns to the site from the gateway again, the value of Request.IsAuthenticated becomes false!
And it causes the user's DNN and anonymity and again display login button.

Changing the page also solves the problem and again the value of Request.IsAuthenticated becomes true

[mitchelsellers]

Can we get a code example of what you are doing?

[mansour-nazifi]

There is no code!
just post user to gateway and user after pay , return to callback address.

[mansour-nazifi]

after user callback to dnn display again login button!
While the user had logged in before going to the gateway

[jeremy-farrance]

Is it possible that you have multiple Alias variations? Maybe both root and www available? This might happen if you are authenticated on the www alias and then the callback address is to the root (no www).

[mansour-nazifi]

my address
http://localhost:7263/en-us/

[soheilkheiri]

We have the same problem.

Authentication is lost after the callback. But once refreshed, it is authenticated.

[mansour-nazifi]

Cookie ".DOTNETNUKE" is not in the list of C # cookies in callback!

[mansour-nazifi]

I found the problem
why DOTNETNUKE cookie is SameSite = Lax ??

i change web.config :

and problem solved!

These changes do not have a security problem?

[mansour-nazifi]

<forms name=".DOTNETNUKE" protection="All" cookieSameSite="None" timeout="60" cookieless="UseCookies" />

[mitchelsellers]

DNN follows the default using the Lax method, there have been some arguments for the default to be Strict.

Using “none” as you have set is something you need to be sure that it isn’t a concern as for many sites it is less secure.

This article has a good overview https://web.dev/samesite-cookies-explained/

[mitchelsellers]

The usage of none should never be needed within DNN for authentication. Can you explain exactly what you have going on environmentally? Is this iframed or otherwise?

[soheilkheiri]

So how do we identify users when there is no authentication?

You are clearing the issue and unfortunately you did not understand the problem correctly. Please re-read this discussion to understand.

[mitchelsellers]

My point is that I need to understand WHAT exactly the user is doing, what is their flow?

View Homepage -> View login Page -> Login -> Return to DNN Logged In -> What else?

[soheilkheiri]

When you buy an authenticated user from the store and it is sent to the bank's website, after returning from the bank's website to the store's website by the callback address, it is not authenticated and therefore the user's purchase is not registered in the system and the user's payment is not confirmed.

[mitchelsellers]

Ok, if I understand this process correctly you have the following flow.

User Clicks Checkout (DNN) -> User is redirected to the bank website -> User pays on bank website -> Bank website tries to return to DNN

DNN's default behavior of Lax should allow for this, however, it sounds like there might be multiple redirects involved in your situation that make it where Lax isn't usable.

I personally, would look at how/why Lax isn't behaving properly, rather than a sledgehammer usage of None as it does open you up to some security scenarios.