blocked 3rd party session cookies in iframes

If you use iFrames on your websites, you may have encountered the infamous ‘blocked 3rd party cookies’ issue that occurs in Safari – particularly on IOS7.  Safari has defaults that are arguably more secure than most other browsers, but this winds up breaking some websites hosted in iFrames.  The sessions that the website relies on do not work (users cannot login, etc), as the session cookie is not ‘trusted’ by the browser when the website inside the iframe is hosted on a different domain (or subdomain) than the parent website.  In some cases simply changing the protocol (http vs https) can cause the same issue. is one example of people trying to address this problem.  Most of the solutions I found on the web for this were fairly complicated and required you to change the architecture of your site a fair bit.

However it a lot of cases, the solution can be pretty easy.  The solution simply sends the ‘parent’ frame or browser window to the second domain temporarily to set a session cookie for the second domain, then redirect the user to the page on the first domain that hosts the iFrame.  Once the browser has accepted the cookie from the second domain, then that domain is no longer considered ’3rd party’ by the browser.

This can be done very easily and transparently to the user, with the use of a single file on the second domain which sets that session cookie and redirects the user back.  Here’s a php example.  This php file would be hosted on the same domain as the content of the iframe:

// startsession.php
$_SESSION['ensure_session'] = true;
die(header('location: '.$_GET['return']));

Note that this file uses a ‘get’ parameter to decide where to redirect the user to.  This is just for convenience – this could have been hard-coded, and you may need to handle url encoding of the parameter or deal with other security concerns.  Those concerns are not related directly to this solution.

On the page hosted on the first domain (same domain as the one hosting the iFrame), create a link to the page on the first domain that hosts the iframe like so:

<a href="https://domain2/startsession.php?return=http://domain1/pageWithiFrame.html">page with iFrame</a>

On the first domain, the page with the iframe:

<p>Page hosted on domain1, with iframe content from domain2.</p>
<iframe src="https://domain2/index.php"></iframe>

At this point, the website hosted on domain2 will be able to set/use session cookies, because the user has explicitly authorized this on the parent frame by clicking on the link.

I’ve tested this approach successfully on IOS7.  This works whether the parent domain is http or https.

This post was thrown together pretty quickly – let me know if you have any questions or have feedback on this solution.





html trick for wrapping long urls

These days, I spend a lot of my time working on mobile development (

In mobile development, screen space and layout are huge concerns.  One challenge I’ve seen is how to display a long URL on a mobile device.  In most cases you can just create a link and use some text-overflow techniques (text-overflow:elipsis).  However if you really want to show the entire text of the URL, but have the invariable word-wrapping occur at the most visually appealing spots (after the forward slash character), it can be tricky.  Not all browsers interpret the word-break properties similarly.

I came across a wonderful technique here:

Simply put, it uses a technique of adding a ‘non visible space’ character (&#8203) after each forward slash in the url.  The browser will happily wrap the text on those invisible spaces.  This can be done in javascript something like so:

url = url.split('/').join('/&#8203')

Just make sure you only add this to the _visible_ portion of the text, not the actual href attribute.

It works like a charm, breaking text after each / character when needed.

*note* this technique does not work out of the box with a wordpress site like this one, as wordpress mangles/processes the urls when rendering the page, attempting to encode the ampersand character in the url.


Ubuntu on the desktop – my experience


Approximately three months ago, I decided to take the dive and run Ubuntu as my primary desktop.  I did it as an experiment, but have really quite liked the experience and I don’t expect to move back to windows, at least for my regular day-to-day use.  I’ll likely keep a virtual instance of windows available for the times when I can’t get a windows program to run correctly on Ubuntu, but so far I haven’t missed windows at all.

Don’t get me wrong – it’s not been a perfect experience.  But I’m an experienced software developer with a reasonable amount of Linux knowledge, so when faced with problems I had the tools to figure things out.  That being said, I think for a lot of folks Ubuntu would be a really great alternative.  So much of our computer usage these days is Web-based, and the modern browsers these days provide a really stable cross-platform environment for virtually all popular websites and needs.  For those times when a windows program is your only alternative (or you just want to check something out), the ‘WINE’ windows compatibility layer does a remarkable job of getting a LOT of windows programs running natively on linux/Ubuntu.

One thing I quite like about the Ubuntu experience is the Unity desktop/launcher – it has some great easy-to-use features, such as multiple desktops, and easy task switching with previews.  When I’m doing web development, it’s not unusual for me to have 10 or more windows open at the same time, so those features really help me organize my workspace.

I still occasionally find myself ‘searching’ for the right way to accomplish some minor task (like restoring a minimized window), but I recently found this great ‘cheat sheet’ for Ubuntu which I highly recommend Ubuntu users to review and experiment with the features highlighted.  Here’s a direct link to the document – I couldn’t find a link to the document on the author’s blog or I’d have sent you to his blog posting directly…


New blog platform

Well, I finally gave in and updated the old blog to WordPress.  I was able to export the old blog posts into WordPress, but it did require a fair bit of editing of things like post dates and statuses (draft, published, etc).  It also did not export comments.  Seeing as I only had a few comments :), I wound up adding those by hand, which didn’t update the date/timestamps. Seeing as I’ve already taken down the old blog, it’s kind of tricky to figure out the old datetimestamps for those comments…

The biggest remaining issue is that not all of the URLs and slugs match the old posts perfectly.  Many of them are fine after tweaking the permalink settings in wordpress to match the old blog format, but wordpress has renamed some of the article name/slugs , and resetting those looks like a manual process…

ubuntu printer install

I got a new Lexmark Pro715 printer yesterday, but had some problems installing it in ubuntu.  I finally got it working and thought I’d drop a note here for future reference.

tl;rd version

install the printer utility from, don’t bother looking for printer drivers.  After install, search for ‘lexmark’ in the dashboard gui, as the command-line install does not indicate how to run the utility. After install you must sudo chown root /usr/lib/cups/backend; sudo chown root /usr/lib/cups/filter Continue reading »

Dreamhost Trac misconfiguration – how to get authentication working for Trac on Dreamhost

Dreamhost is a great hosting company, and provides a lot of very nice ‘one click installs’ of common software packages.  I sometimes use Trac ( for managing hobby development projects, and the Dreamhost one click install worked great, except when it came to setting up authentication (requiring login). Continue reading »

Comet or Long Loop message pattern – put an end to polling!

A while back I posted a possible solution to dealing with long running processes in a web application. While that solution works for very basic processes, the use of threading in an application can be the cause of a lot of grief (there are just too many ways outside of your control for those threads to be aborted prematurely).

I did a little research and came up with a MUCH better solution – simply execute the ajax request for the long running process, and then listen for messages on another ajax request. The key to this working in IIS/.NET, however is to ensure that your long running process is a SESSIONLESS request, otherwise your request will block further ajax requests until it’s completed. Continue reading »

Javascript videos – by Douglas Crockford of YAHOO

If you are a web developer, you almost certainly need to program in Javascript.  If you need to program in Javascript, you need to watch this series of video presentations by Douglas Crockford.

Hopefully most of you (web developers) know who Mr Crockford is, but for those that don’t recognize his name: he works for Yahoo, and is a well known author and presenter on Javascript topics.  He is a member of the ECMAScript standards body and a general Javascript guru – developer of JSLint, the JSON spec and author of JavaScript: The Good Parts.

These lectures were given to (some members of) the Yahoo development team.  The first lecture is a fascinating history of computing and language development which is really informative and sets up the other lectures (on Javascript) really well.  If you don’t have the time for the first lecture you can dive in on the second one and get right into the language implementation details, but I really do recommend you start with the first video.  Each presentation is about 2hrs long, so make sure you’ve set aside enough time – it will be worth it!

I can’t recommend this enough – if you’re serious about your professional development as a web developer, Mr. Crockford’s material is must-read and must-watch.


Long Running Processes – a simple example

The problem

Sometimes, your web application needs to do something that takes a really long time – perhaps process a batch of files, backup or archive data, gather a bunch of data from external sources, or similar.  When dealing with this situation, you’re faced with a few challenges:

  • browser and other timeout settings – web frameworks aren’t designed to take more than a few seconds long to process a request and send back a response to the user.
  • user feedback – the user needs some sort of indication that the system is working as intended and not frozen or encountered an error.
  • user productivity – the user may want to do something else within your app while waiting for your process to finish.
I had to solve this problem myself a little while ago and thought I’d share my solution, which has a few concepts I did not find while searching for articles on the topic:
  • Status update in the form of a log or history of process rather than just a single %age complete number used in a progress bar
  • Providing parameters into the long running process, and
  • Getting access to the HTTPContext during the long running process. Continue reading »

Learning another language

I’ve been meaning to learn another programming language as a way of ‘sharpening my tools’, so to speak.  For years I’ve had my eye on LISP, but wasn’t sure it would be worth my time, given the predominance of the MS .net stack, Java, javascript, and some of the new scripting languages – ruby, python, etc.  But I stumbled across a recommendation to watch a series of videos on LISP from MIT professors Hal Abelson and Gerald Jay Sussman.  They are freely posted here:  Well I tried the first lecture, and while I chuckled at the dress and hairstyles of the early 80′s, I was quickly hooked on the content.  I quickly realized that this wasn’t just a course on LISP, but rather a great course on the really great concepts of computer programming.  I’m on the 3rd lecture so far, and having a blast.  This might be old-hat for some CS grads, but I’d still really recommend checking these out if you want to geek out on some advanced ideas.