Why is my Session ID changing on 3D Secure payments?

16 December 2020

If you have a website where you are implementing 3D Secure payments, you may find that you have an issue where on receipt of the payment setup confirmation the users Session ID has changed with no apparent cause.

Lets have a quick run through of the payment process in this scenario (this is roughly how SagePay and WorldPay both work):

User completes payment details on your site (some wizardry normally happens at this point with an iFrame for the card number to maintain PCI compliance) and the form is submitted to your server
You server call's an API from the payment gateway to setup a 3D Secure payment. It passes the users Session ID along with all the payment details.
Payment gateway responds with a URL for you to redirect the user too by posting a form to it. You do this, likely in an iFrame so that the page still looks like your website (otherwise it's a very ugly page).
User may or may not get prompted by some sort of authentication by the bank. This could be something like receiving a text message with a code to enter.
When authenticated the user is sent back to your website (in the iFrame) with a post request.
Your server picks out the form details from the request and then calls an API to complete the transaction. In this API call you send the Session ID so that the payment gateway can validate it is the same as the one at the start of the process.
Confirmation shown to the user.

Introducing the Same Site Cookie Policy

In 2020 a change made to how cookies function in browsers to defend against cross site scripting. Troy Hunt has a brilliant explanation of the issue with how cookies used to work and how this has changed here. I'm going to try a much shorter explanation;

When a request is made from a browser, as part of the request all the cookie values for that domain are sent with the request. This will include one for the Session ID. The theory here is that because the cookies are only being sent to the domain which set them in the first place, then information is only being shared back with the place that set it to begin with, which is therefor safe.

However the workings of the internet and what domain a button click might call isn't overly obvious to most people. So what if clicking a link on one site causes the user to be redirected to another site? Answer: all the cookies are still sent. The same thing happens if a form is posted from one site to another site. The problem here is that if you are authenticated on the other website, then its possible for a cross site scripting attack to be using your session via your browser without you even realising you were on the site again. This is why it's always a good idea to log out of websites!

The introduction of the same site policy changes how cookies work with three options:

None: which is what the browsers used to do. i.e. send all the cookies with cross-origin request
Lax: some limits on sending cookies with cross-origin request
Strict: tight limits on sending cookies with cross-origin request

None is sending everything and a strict policy will basically stop cookies from being sent when they have a cross-origin request.

A Lax policy is slightly more interesting though, because it depends if the request is a GET or a POST. If it is a GET then the cookies will still be sent, which means that if you follow a link from another site or a search engine your cookies will still be sent to the site. However a POST (like what the 3D Secure page is doing) will no longer send the cookies.

If the policy isn't set, then Lax is used as the default.

So why is my Session ID changing?

The problem is that post request back to your site, unless the Session ID had a cookie policy of None then the Session ID cookie won't be sent. The server will then see that there is no Session ID and treat the users as if they are new on the site and as a result start a new session. From this point on the user has lost the old session and you can't complete the payment. Worse still they've probably just been logged out and anything else using session data has also been lost.

In .Net 4.7.2 and up, Microsoft has implemented the ability to set the cookie policy of the session ID. You can do this in your web.config file like this:

1<configuration>
2 <system.web>
3  <anonymousIdentification cookieRequireSSL="false" /> <!-- No config attribute for SameSite -->
4  <authentication>
5   <forms cookieSameSite="None" requireSSL="false" />
6  </authentication>
7  <sessionState cookieSameSite="None" /> <!-- No config attribute for Secure -->
8  <roleManager cookieRequireSSL="false" /> <!-- No config attribute for SameSite -->
9 <system.web>
10<configuration>

You can find more about this here. In everything older the policy wont be set and will default to Lax.

However just because you can set the cookie policy to None, it doesn't mean you should. After all, that just re-opens the vulnerability the browser was trying to protect against.

The solution I went with was to have a page that the users is redirected back to from the payment gateway that does nothing other than re-submit the values from the payment gateway to the site again. This way I can be sure of what form data is being posted to the site, and when I re-post it, it is a same site post and not a cross-origin which means the Session ID cookie will be sent.

To stop my initial page setting a new session cookie (which it will try to do because it won't recieve one), I use the IIS URL Rewrite module to strip out the set cookie response headers from the page.

You can do this with an outbound rule as follows:

1<rewrite>
2      <rules>
3      </rules>
4      <outboundRules>
5        <rule name="Remove SetCookie Header" preCondition="Match Payment Page">
6          <match serverVariable="RESPONSE_Set-Cookie" pattern=".*" />
7          <action type="Rewrite" value="" />
8        </rule>
9        <preConditions>
10          <preCondition name="Match Payment Page" logicalGrouping="MatchAny">
11            <add input="{REQUEST_URI}" pattern="PAGE NAME GOES HERE" />
12          </preCondition>
13        </preConditions>
14      </outboundRules>
15    </rewrite>

With this solution the cookies are still secure as the policy is set to Lax and I can take payments using 3D Secure which will soon become a requirement.

Two ways to import an XML file with .Net Core or .Net Framework

21 November 2019

It's always the simple stuff you forget how you do. For years I've mainly been working with JSON files, so when faced with that task of reading an XML file my brain went "I can do that" followed by "actually how did I used to do that?".

So here's two different methods. They work on .Net Core and theoretically .Net Framework (my project is .Net Core and haven't checked that they do actually work on framework).

My examples are using an XML in the following format:

1<?xml version="1.0" encoding="utf-8"?>
2<jobs>
3    <job>
4        <company>Construction Co</company>
5        <sector>Construction</sector>
6        <salary>£50,000 - £60,000</salary>
7        <active>true</active>
8        <title>Recruitment Consultant - Construction Management</title>
9    </job>
10    <job>
11        <company>Medical Co</company>
12        <sector>Healthcare</sector>
13        <salary>£60,000 - £70,000</salary>
14        <active>false</active>
15        <title>Junior Doctor</title>
16    </job>
17</jobs>

Method 1: Reading an XML file as a dynamic object

The first method is to load the XML file into a dynamic object. This is cheating slightly by first using Json Convert to convert the XML document into a JSON string and then deserializing that into a dynamic object.

1using Newtonsoft.Json;
2using System;
3using System.Collections.Generic;
4using System.Dynamic;
5using System.IO;
6using System.Text;
7using System.Xml;
8using System.Xml.Linq;
9
10namespace XMLExportExample
11{
12    class Program
13    {
14        static void Main(string[] args)
15        {
16            string jobsxml = "<?xml version=\"1.0\" encoding=\"utf-8\"?><jobs>    <job><company>Construction Co</company><sector>Construction</sector><salary>£50,000 - £60,000</salary><active>true</active><title>Recruitment Consultant - Construction Management</title></job><job><company>Medical Co</company><sector>Healthcare</sector><salary>£60,000 - £70,000</salary><active>false</active><title>Junior Doctor</title></job></jobs>";
17
18            byte[] byteArray = Encoding.UTF8.GetBytes(jobsxml);
19            MemoryStream stream = new MemoryStream(byteArray);
20            XDocument xdoc = XDocument.Load(stream);
21
22            string jsonText = JsonConvert.SerializeXNode(xdoc);
23            dynamic dyn = JsonConvert.DeserializeObject<ExpandoObject>(jsonText);
24
25            foreach (dynamic job in dyn.jobs.job)
26            {
27                string company;
28                if (IsPropertyExist(job, "company"))
29                    company = job.company;
30
31                string sector;
32                if (IsPropertyExist(job, "sector"))
33                    company = job.sector;
34
35                string salary;
36                if (IsPropertyExist(job, "salary"))
37                    company = job.salary;
38
39                string active;
40                if (IsPropertyExist(job, "active"))
41                    company = job.active;
42
43                string title;
44                if (IsPropertyExist(job, "title"))
45                    company = job.title;
46
47                // A property that doesn't exist
48                string foop;
49                if (IsPropertyExist(job, "foop"))
50                    foop = job.foop;
51            }
52
53            Console.ReadLine();
54        }
55
56        public static bool IsPropertyExist(dynamic settings, string name)
57        {
58            if (settings is ExpandoObject)
59                return ((IDictionary<string, object>)settings).ContainsKey(name);
60
61            return settings.GetType().GetProperty(name) != null;
62        }
63    }
64}
65

A foreach loop then goes through each of the jobs, and a helper function IsPropertyExist checks for the existence of a value before trying to read it.

Method 2: Deserializing with XmlSerializer

My second approach is to turn the XML file into classes and then deserialize the XML file into it.

This approch requires more code, but most of it can be auto generated by visual studio for us, and we end up with strongly typed objects.

Creating the XML classes from XML

To create the classes for the XML structure:

1. Create a new class file and remove the class that gets created. i.e. Your just left with this

1using System;
2using System.Collections.Generic;
3using System.Text;
4
5namespace XMLExportExample
6{
7
8}

2. Copy the content of the XML file to your clipboard
3. Select the position in the file you want to the classes to go and then go to Edit > Paste Special > Paste XML as Classes

If your using my XML you will now have a class file that looks like this:

1using System;
2using System.Collections.Generic;
3using System.Text;
4
5namespace XMLExportExample
6{
7
8    // NOTE: Generated code may require at least .NET Framework 4.5 or .NET Core/Standard 2.0.
9    /// <remarks/>
10    [System.SerializableAttribute()]
11    [System.ComponentModel.DesignerCategoryAttribute("code")]
12    [System.Xml.Serialization.XmlTypeAttribute(AnonymousType = true)]
13    [System.Xml.Serialization.XmlRootAttribute(Namespace = "", IsNullable = false)]
14    public partial class jobs
15    {
16
17        private jobsJob[] jobField;
18
19        /// <remarks/>
20        [System.Xml.Serialization.XmlElementAttribute("job")]
21        public jobsJob[] job
22        {
23            get
24            {
25                return this.jobField;
26            }
27            set
28            {
29                this.jobField = value;
30            }
31        }
32    }
33
34    /// <remarks/>
35    [System.SerializableAttribute()]
36    [System.ComponentModel.DesignerCategoryAttribute("code")]
37    [System.Xml.Serialization.XmlTypeAttribute(AnonymousType = true)]
38    public partial class jobsJob
39    {
40
41        private string companyField;
42
43        private string sectorField;
44
45        private string salaryField;
46
47        private bool activeField;
48
49        private string titleField;
50
51        /// <remarks/>
52        public string company
53        {
54            get
55            {
56                return this.companyField;
57            }
58            set
59            {
60                this.companyField = value;
61            }
62        }
63
64        /// <remarks/>
65        public string sector
66        {
67            get
68            {
69                return this.sectorField;
70            }
71            set
72            {
73                this.sectorField = value;
74            }
75        }
76
77        /// <remarks/>
78        public string salary
79        {
80            get
81            {
82                return this.salaryField;
83            }
84            set
85            {
86                this.salaryField = value;
87            }
88        }
89
90        /// <remarks/>
91        public bool active
92        {
93            get
94            {
95                return this.activeField;
96            }
97            set
98            {
99                this.activeField = value;
100            }
101        }
102
103        /// <remarks/>
104        public string title
105        {
106            get
107            {
108                return this.titleField;
109            }
110            set
111            {
112                this.titleField = value;
113            }
114        }
115    }
116
117}

Notice that the active field was even picked up as being a bool.

Doing the Deserialization

To do the deserialization, first create an instance of XmlSerializer for the type of the object we want to deserialize too. In my case this is jobs.

1            var s = new System.Xml.Serialization.XmlSerializer(typeof(jobs));

Then call Deserialize passing in a XML Reader. I'm creating and XML reader on the stream I used in the dynamic example.

1            jobs o = (jobs)s.Deserialize(XmlReader.Create(stream));

The complete file now looks like this:

1using System;
2using System.IO;
3using System.Text;
4using System.Xml;
5
6namespace XMLExportExample
7{
8    class Program
9    {
10        static void Main(string[] args)
11        {
12            string jobsxml = "<?xml version=\"1.0\" encoding=\"utf-8\"?><jobs>    <job><company>Construction Co</company><sector>Construction</sector><salary>£50,000 - £60,000</salary><active>true</active><title>Recruitment Consultant - Construction Management</title></job><job><company>Medical Co</company><sector>Healthcare</sector><salary>£60,000 - £70,000</salary><active>false</active><title>Junior Doctor</title></job></jobs>";
13
14            byte[] byteArray = Encoding.UTF8.GetBytes(jobsxml);
15            MemoryStream stream = new MemoryStream(byteArray);
16
17            var s = new System.Xml.Serialization.XmlSerializer(typeof(jobs));
18            jobs o = (jobs)s.Deserialize(XmlReader.Create(stream));
19
20            Console.ReadLine();
21        }
22    }
23}

And thats it. Any missing nodes in your XML will just be blank rather than causing an error.

ASP.NET Core Platforms for a Blog

8 February 2019

Like a lot of Sitecore developers my blog (at time of writing) is hosted on Wordpress. The reason for it not being in Sitecore is simple. Sitecore is an enterprise level platform, which isn't really needed for a personal blog.

For a .net dev to have there blog on a php platform however just seems plain wrong, but again there's a logical reason. Wordpress is actually really good as a blogging platform, and it doesn't cost me anything.

Despite this I would much rather take control of my site and use it to play with all the cool features in Azure. It would also be nice to have the ability to do something about the Google PageSpeed result which is currently sitting at 24%. So in aid of this I've started looking into .net core based platforms and thought I'd share what I've found.

Miniblog.core

https://github.com/madskristensen/Miniblog.Core

As the name suggests Miniblog.core is both very small and based on .net core. Developed by Mads Kristensen its an extremely lightweight bare bones implementation, which if your after something you can help build upon is ideal. The code is straightforward to understand and very simple to adapt. Additionally if your after a 100% page speed score, then this achieves just that.

If on the other hand your after a deluxe admin experience full of functionality then this probably isn't for you.

Piranha CMS

http://piranhacms.org/

Piranha CMS is built as a lightweight CMS platform rather than specifically as a blog, however it also contains a blog module which for me put's it at a big advantage over the other CMS platforms I've listed below.

On the back end you get a choice of SQL Server, SQLite or MySQL. The documentation isn't exactly complete, but on the day I tried it out, I found the team building it very responsive on GitHub. They even updated the documentation with one of my suggestions the very next day.

Another aspect I particularly liked about Piranha CMS was it's block editor, which from the brief look I've had so far reminds me of the block editor Umbraco has. Whereas other platforms in this list were restricted to a large rich text field.

Orchard Core

https://github.com/OrchardCMS/OrchardCore

Orchard Core is the dot net core version of the Orchard CMS. It's currently in beta, but I'm not sure that put's it at much of a disadvantage over the others on this list.

My initial impressions of Orchard Core however weren't as high as Piranha CMS. The admin interface wasn't quite as nice and as far as I could tell, it didn't have anything like Piranha's block editor. The solution itself also seemed far more complex and I wasn't certain what I got for this. I expect Orchard Core is likely better in some ways that I have yet to discover, but for my needs as a blog this is probably not the case. It also didn't have a blog module out of the box.

Squidex

https://squidex.io/

I have't had much of a chance to play with Squidex yet, but it does offer an interesting difference to the others mentioned so far.

For a start Squidex is an entirely headless cms, and is built around the concept of CQRS and Event Sourcing. Unlike the others it also uses MongoDB rather than a SQL based database.

Where MongoDB is concerned, I often get the impression people are using it because as developers we tend to have a preference to using something new rather than something adequate. However when it comes to Azure pricing, there is potentially a saving to be made by using Mongo rather than Azure SQL.