My .NET MVC3 website is being loaded through an iframe on the parent website. They GET a controller's action on my website with certain parameters in the query string. My action validates these parameters, stores them in session and does RedirectToAction() to a different controller's action. In the second action, the first line of code gets these parameters from session. We did not have any problems in DEV, moreover we did not have any problems in QA.

In Production, after the redirect, the session variable gets cleared. This only happens in IE 8 and 7. The Production server does have a load balancer, but at the moment the second server is turned off and the problem is still there. Here is the code, I stripped out validation and some other stuff.

//Here is where they come in
[HttpGet]
public ActionResult Index(string locationGUID, string OtherParam)
{
   //?locationGUID=ABCDEFGHIJKLMNOP,XXXXXXXXX&ContractInstance=2111,#####
   //some validation here

   var passedData = new PassedData
       {
         Guids = locationGUID.Split(',').ToList(),
         OtherParam = OtherParam 
       };


   PassedData = passedData;

   //more validation and init DB logging here

   return RedirectToAction("Index", "OtherController");
}

//PassedData is a property of Base Controller, from which all other controllers inherit
public PassedData PassedData
{
   get { return (PassedData)Session["PassedData"]; }
   set { Session["PassedData"] = value; }
}

//Here is Index of "OtherController", when we get here in Prod in IE, first line throws null reference exception, because PassedData is now NULL....
[HttpGet]
public ActionResult Index()
{
   ViewBag.CustInfoList = PassedData.Guids.Select(guid => GetCustomerInfo(guid).Data).ToList();
//the rest of the code is not relevant to this question, since PassedData is already NULL :(
}

Thank you very much in advance!

UPDATE: I implemented session state mode "StateServer". Nothing changed.

UPDATE: I'm looking at Fiddler. IE: The parent site sets session cookie. My site doesn't. FF: Both sites set session cookie.

This is due to IE not trusting cookies created by IFrames

See Cookie blocked/not saved in IFRAME in Internet Explorer for a detailed explanation and a fix.

HTH

Another possible cause/solution is that IE doesn't save cookies if the domain name has an underscore (because strictly speaking domain names can't have underscores, so you'll probably only encounter this in development), e.g. http://my_dev_server/DoesntWork. Chrome or Firefox should work in this scenario, and if you change the domain name you're using to not have an underscore problem solved.

Ref:

• http://blog.smartbear.com/software-quality/internet-explorer-eats-cookies-with-underscores-in-the-hostname/
• http://social.msdn.microsoft.com/Forums/ie/en-US/8e876e9e-b223-4f84-a5d1-1eda2c2bbdf4/ie7-cookie-issue-when-domain-name-has-underscore-character-in-it?forum=iewebdevelopment

Load up fiddler. Watch for the Set-Cookie respond and note the cookie domain. Ensure it matches your site. Then on the next request (from redirect to action) ensure the cookie is sent over, and again, it matches the domain in the request.