IIS : application fails when http redirect to https.

Hi guys,

 

I don't know why but my C# ASP.NET ( .NET Framework 4.8 ) base application does a redirect to https. It calls another https C# ASP.NET ( .NET Core 3.1 ) application inside a IFRAME. It fails because the csrf token cookies cant be read when an ajax requests is sent from an http page. On code side no relevant issues found, but out it ops says that on our side is all ok. In the card I reported what I found in a wide-ranging search in the literature. 

The research I did revealed the following:

1. SameSite should be as much as set to Lax. The ideal would be to make the site work by setting the authentication cookie to Strict even if there are cases that are difficult to manage.
2. The ideal would be to run everything on https, but this does not mean solving the current problem we have.
3. We do not recommend the use of iframes or otherwise doing everything possible so that the site can not be included in an iframe.

Waiting for your replay.

Thank's in advance.

Simone