Krash Posted April 12, 2018 Share Posted April 12, 2018 Working with a script that consists of multiple files running in an iframe. If all files are local, and parent and iframe are in same domain, works fine. If iframe is loaded from different parent domain, works in IE11, but in FF58 all session variables are lost. Not trying to pass variables between parent and iframe, everything happens in iframe. Object is to install app on client sires, but keep core code on my server for security purposes and to facilitate upgrades. Quote Link to comment https://forums.phpfreaks.com/topic/307105-losing-session-variables-in-iframe/ Share on other sites More sharing options...
requinix Posted April 12, 2018 Share Posted April 12, 2018 How are you getting multiple files in one iframe? How are you sharing session data across multiple domains? Quote Link to comment https://forums.phpfreaks.com/topic/307105-losing-session-variables-in-iframe/#findComment-1557779 Share on other sites More sharing options...
Krash Posted April 12, 2018 Author Share Posted April 12, 2018 I've put together a simple test case that replicates the problem, but am unable to paste code into this post editor. Basically, domain 1 loads test1.php into iframe from domain 2. test1.php sets session variable and also posts second variable to test2.php. In IE11, both variables are displayed by test2, but in FF only post variable arrives, session variable is lost. Quote Link to comment https://forums.phpfreaks.com/topic/307105-losing-session-variables-in-iframe/#findComment-1557780 Share on other sites More sharing options...
Krash Posted April 12, 2018 Author Share Posted April 12, 2018 <sigh> Well, now I know what's causing it. FF is losing session variables because third party cookies are blocked. They're also blocked in IE, but it doesn't affect session variables. So the question becomes, is there any way around this? Quote Link to comment https://forums.phpfreaks.com/topic/307105-losing-session-variables-in-iframe/#findComment-1557782 Share on other sites More sharing options...
requinix Posted April 12, 2018 Share Posted April 12, 2018 What's preventing you from posting it? What it sounds like you're describing shouldn't be possible (you can't set cookies across domains) so I'm sure I'm misunderstanding something. If you're trying to send data across sites then posting it, which works, would be the way to do it. Why do you need to use a session? Quote Link to comment https://forums.phpfreaks.com/topic/307105-losing-session-variables-in-iframe/#findComment-1557784 Share on other sites More sharing options...
Krash Posted April 12, 2018 Author Share Posted April 12, 2018 Would be difficult to convert everything from session to post. The immediate problem is an imagepng script that generates a random 8 digit string, having no luck extracting the string or posting it. Is there any way to paste text into this editor? The paste button doesn't work. Quote Link to comment https://forums.phpfreaks.com/topic/307105-losing-session-variables-in-iframe/#findComment-1557785 Share on other sites More sharing options...
requinix Posted April 12, 2018 Share Posted April 12, 2018 (edited) Just paste. You know. Normally. Ctrl+V. Right-click menu. Make sure you're using the Code button for it, or [code] tags. The session isn't a great place to store random generated data. It's easy for one value to get overwritten with another before it has a chance to be used. Edited April 13, 2018 by requinix *c Quote Link to comment https://forums.phpfreaks.com/topic/307105-losing-session-variables-in-iframe/#findComment-1557787 Share on other sites More sharing options...
Krash Posted April 12, 2018 Author Share Posted April 12, 2018 Duh, I can't paste anything normally, that's why I asked. Quote doesn't work either (but smileys do ). Bearing in mind that it works fine in IE11, and that I've been using variations of this script for years within same domain, no session problems. No variables are being passed between iframe and parent, three files are used inside iframe, all at same domain. First file creates imagepng that's displayed by second file, and generates session variable that's passed to third file. Second file is keypad that generates half dozen or so variables that are passed to third file. For reasons unknown, FF is blocking the session data as third party cookies, which they're not. Test script I wrote is dirt simple, and replicates the problem exactly. I'd post it if I could copy/paste. (If I had some ham, I'd make ham & eggs, if I had some eggs.) Quote Link to comment https://forums.phpfreaks.com/topic/307105-losing-session-variables-in-iframe/#findComment-1557802 Share on other sites More sharing options...
requinix Posted April 13, 2018 Share Posted April 13, 2018 Bearing in mind that it works fine in IE11,You mean the browser that's historically done all sorts of weird and wrong things when it comes to implementing internet standards? The one that's always been behind on adopting best standards that all the other browsers use? For reasons unknown, FF is blocking the session data as third party cookies, which they're not.It doesn't necessarily matter what the cookie represents: if it's a third-party cookie then it gets blocked. Because Firefox was told to do so, mind you. I'd post it if I could copy/paste.I don't know how this site could be preventing you from using basic clipboard operations. I don't remember anyone else saying they've had problems. I still don't get how you have multiple "files" in one iframe. An iframe can only show one URL at a time. Maybe that example is the only way I'll be able to make sense of this. Quote Link to comment https://forums.phpfreaks.com/topic/307105-losing-session-variables-in-iframe/#findComment-1557807 Share on other sites More sharing options...
Krash Posted April 13, 2018 Author Share Posted April 13, 2018 Go to www.thekrashsite.com, click 'Register', scroll down to 'Verification', the keypad is what I'm working on. This is the standalone version, all files are in same domain. Been using it for years, works fine in most browsers (afaik it's never not worked for anyone who's registered on my forums or a few other forums I've installed it on). Keypad is running in iframe so it can refresh itself without reloading entire page. What I'm trying to do is install the keypad on client forums without giving them the core code. The registration template in client domain (call it domain2) loads the keypad from thekrashsite. Everything you see is contained in files that run in the iframe. When correct code is entered, keypad posts verification data back to domain2, registration source code completes or rejects registration. Until the final step, everything happens within the iframe, same session. IIRC, iframe and parent frame run different sessions (same as different tabs), but no data is being passed between frames, so that shouldn't be a problem. FF is seeing a third party, which I don't believe happened in earlier versions. Quote Link to comment https://forums.phpfreaks.com/topic/307105-losing-session-variables-in-iframe/#findComment-1557833 Share on other sites More sharing options...
Krash Posted April 13, 2018 Author Share Posted April 13, 2018 (edited) Ok, I can copy/paste with FF. Here's the test code - testif.php <?php session_start(); echo ' <iframe src="http://www.thekrashsite.com/smf20/test1.php" style="width: 400px; height: 200px; border: 3px red solid; border-radius: 10px; background: #ffffff; overflow: hidden;"></iframe>'; ?> test1.php <?php session_start(); $postCode = 'post'; $sessCode = 'session'; $_SESSION['sessCode'] = $sessCode; echo ' test1.php - source values<br /><br /> $_SESSION[\'sessCode\'] = '. $_SESSION['sessCode'] .' <br /> $_POST[\'postCode\'] = '. $postCode .' <br /><br /> <form action="http://www.thekrashsite.com/smf20/test2.php" method="post"> <input type="hidden" name="postCode" value="'. $postCode .'"> <input type="submit" value="Submit"> </form>'; ?> test2.php <?php session_start(); echo ' test2.php - target values<br /><br /> $_SESSION[\'sessCode\'] = '. $_SESSION['sessCode'] .' <br /> $_POST[\'postCode\'] = '. $_POST['postCode'] .' <br /><br />'; ?> You should be able to run testif.php from your server, it will load test1.php from the krashsite, displays initial values, click 'Submit', that goes to test2.php on thekrashsite. In IE, session and post values are displayed, in FF only post value arrives, session value is lost. Edited April 13, 2018 by Krash Quote Link to comment https://forums.phpfreaks.com/topic/307105-losing-session-variables-in-iframe/#findComment-1557834 Share on other sites More sharing options...
requinix Posted April 13, 2018 Share Posted April 13, 2018 Okay, then it's clearly Firefox blocking third-party cookies. There are two types of solutions to this and which one you uses depends on the circumstances. What's the nature of the page containing this iframe? What's the nature of the pages you're having in the iframe? Quote Link to comment https://forums.phpfreaks.com/topic/307105-losing-session-variables-in-iframe/#findComment-1557835 Share on other sites More sharing options...
gizmola Posted April 13, 2018 Share Posted April 13, 2018 Working with a script that consists of multiple files running in an iframe. If all files are local, and parent and iframe are in same domain, works fine. If iframe is loaded from different parent domain, works in IE11, but in FF58 all session variables are lost. Not trying to pass variables between parent and iframe, everything happens in iframe. Object is to install app on client sires, but keep core code on my server for security purposes and to facilitate upgrades. Just completely wrongheaded wonky approach. The robust solution is to provide an API, usually RESTful these days. Quote Link to comment https://forums.phpfreaks.com/topic/307105-losing-session-variables-in-iframe/#findComment-1557836 Share on other sites More sharing options...
Krash Posted April 14, 2018 Author Share Posted April 14, 2018 What's the nature of the page containing this iframe? What's the nature of the pages you're having in the iframe? If you look at the link, the parent frame is the registration template, the iframe contains the keypad verification code. Could I eliminate the iframe and place the keypad in the reg template? Had looked at that early on, it caused problems and works much better in iframe. Just completely wrongheaded wonky approach. The robust solution is to provide an API, usually RESTful these days. I'm sure you're right, but I have working code that I've been using for years, and am disinclined to rebuild the thing from scratch. It should work fine if I can get around the session glitch. Quote Link to comment https://forums.phpfreaks.com/topic/307105-losing-session-variables-in-iframe/#findComment-1557838 Share on other sites More sharing options...
requinix Posted April 14, 2018 Share Posted April 14, 2018 (edited) It's not a "glitch". It's security. You've basically just implemented CAPTCHA. If you don't want to have to rewrite stuff then switch to using reCAPTCHA. edit: Besides that, the API is the way to go. Host site pings the API for information, API returns what it needs to do for the CAPTCHA, user fills out form (including iframe), site checks with API to see if they filled out the right information and/or to get that information back. Edited April 14, 2018 by requinix Quote Link to comment https://forums.phpfreaks.com/topic/307105-losing-session-variables-in-iframe/#findComment-1557840 Share on other sites More sharing options...
Krash Posted April 14, 2018 Author Share Posted April 14, 2018 (edited) I've worked around most of it, just one question remains. How to I get $string out of this without using $_SESSION - <?php session_start(); ob_start(); function imgsecuregen($size = 6){ $width = 11*$size; $height = 17; $string = ""; for($i = 1; $i <= $size; $i++){ $string .= rand (0,9).""; } $im = ImageCreate($width, $height); $bg = imagecolorallocate($im, 102, 102, 102); $black = imagecolorallocate($im, 0, 255, 0); $grey = imagecolorallocate($im, 102, 102, 102); imagerectangle($im,0, 0, $width-1, $height-1, $grey); imagestring($im, 5, $size, 0, $string, $black); imagepng($im); header('Content-type: image/png'); imagepng($im); $_SESSION['ImgString'] = $string; imagedestroy($im); } imgsecuregen(; ?> Edited April 14, 2018 by Krash Quote Link to comment https://forums.phpfreaks.com/topic/307105-losing-session-variables-in-iframe/#findComment-1557842 Share on other sites More sharing options...
requinix Posted April 14, 2018 Share Posted April 14, 2018 Using psychic powers. Because cookies are the only other thing you can use with your current setup and they won't work. Quote Link to comment https://forums.phpfreaks.com/topic/307105-losing-session-variables-in-iframe/#findComment-1557843 Share on other sites More sharing options...
Krash Posted April 15, 2018 Author Share Posted April 15, 2018 Eh, I can live without this one. I have an alternate method that's simpler and looks the same. All the other session variables are converted to post, work fine. Thanks. Quote Link to comment https://forums.phpfreaks.com/topic/307105-losing-session-variables-in-iframe/#findComment-1557858 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.