blocked 3rd party session cookies in iframes02 Nov 2013
If you use iFrames on your websites, you may have encountered the infamous 'blocked 3rd party cookies' issue that occurs in Safari - particularly on IOS7, although the latest versions of Safari on OSX behave the same now. Safari has defaults that are arguably more secure than most other browsers, but this winds up breaking some websites hosted in iFrames. The sessions that the website relies on do not work (users cannot login, etc), as the session cookie is not 'trusted' by the browser when the website inside the iframe is hosted on a different domain (or subdomain) than the parent website. In some cases simply changing the protocol (http vs https) can cause the same issue. Here is one example of people trying to address this problem.
Most of the solutions I found on the web for this were fairly complicated and required you to change the architecture of your site a fair bit.
However it a lot of cases, the solution can be pretty easy. This solution simply sends the 'parent' frame or browser window to the second domain temporarily to set a session cookie for the second domain, then redirect the user to the page on the first domain that hosts the iFrame. Once the browser has accepted the cookie from the second domain, then that domain is no longer considered '3rd party' by the browser.
This can be done very easily and transparently to the user, with the use of a single file on the second domain which sets that session cookie and redirects the user back. Here's a php example. This php file would be hosted on the same domain as the content of the iframe:
<?php // startsession.php session_start(); $_SESSION['ensure_session'] = true; die(header('location: '.$_GET['return']));
Note that this file uses a 'get' parameter to decide where to redirect the user to. This is just for convenience - this could have been hard-coded, and you may need to handle url encoding of the parameter or deal with other security concerns. Those concerns are not related directly to this solution.
On the page hosted on the first domain (same domain as the one hosting the iFrame), create a link to the page on the first domain that hosts the iframe like so:
<a href="https://domain2/startsession.php?return=http://domain1/pageWithiFrame.html">page with iFrame</a>
On the first domain, the page with the iframe:
<p>Page hosted on domain1, with iframe content from domain2.</p> <iframe src="https://domain2/index.php"></iframe>
At this point, the website hosted on domain2 will be able to set/use session cookies, because the user has explicitly authorized this on the parent frame by clicking on the link.
I've tested this approach successfully on IOS7. This works whether the parent domain is http or https.
This post was thrown together pretty quickly - let me know if you have any questions or have feedback on this solution.