We have a complicated issue in one of our web applications and our developer has tried all tactics to fix it, but I suppose it needs someone having more expertise over fixing similar issues.
We have an Asp.Net Core (.Net 5) web application deployed on IIS and mapped to a subdomain([login to view URL]). The application features are accessed through login. Initially only http binding was used in IIS but still web application was auto-redirecting to https (SSL).
Everything was working fine till this point.
A new functionality was needed, where we needed to include a secured (accessed through login) report of that application into another website's embedded(IFrame) section. We added an auto-login functionality into application so that we can pass auto-login url into IFrame and it auto redirect to specified report(page).
IFrame needs special configuration like CORS, XFrameOptions, Cookie_SameSite etc. With hit & trial, we configured these settings and were able to make it work. This was working smoothly on our dev server. But when we deploy to the live server, no user can login due to same site policy conflicts or auto-redirect.
We need someone who has been in a similar situation before and has good working knowledge of concepts "same site policy", "Cors".
Of security reasons we cannot provide the website or links, but this is something for the freelancer accepting the project.
To be clear:
We have a link we want to embed into another webpage through iframe which shows part of a webapp (some statistical graphs). Works on [login to view URL], but not prod. We do SSL certificate-registration with Let's encrypt on the dev. server while this is done by the clients IT-people on the prod-server.