Jump to content

Losing session variables in iframe


Krash

Recommended Posts

Working with a script that consists of multiple files running in an iframe.  If all files are local, and parent and iframe are in same domain, works fine.  If iframe is loaded from different parent domain, works in IE11, but in FF58 all session variables are lost.  Not trying to pass variables between parent and iframe, everything happens in iframe.  Object is to install app on client sires, but keep core code on my server for security purposes and to facilitate upgrades.

 

Link to comment
Share on other sites

I've put together a simple test case that replicates the problem, but am unable to paste code into this post editor.  Basically, domain 1 loads test1.php into iframe from domain 2.  test1.php sets session variable and also posts second variable to test2.php.  In IE11, both variables are displayed by test2, but in FF only post variable arrives, session variable is lost.

Link to comment
Share on other sites

<sigh> Well, now I know what's causing it.  FF is losing session variables because third party cookies are blocked.  They're also blocked in IE, but it doesn't affect session variables.  So the question becomes, is there any way around this?

Link to comment
Share on other sites

What's preventing you from posting it?

 

What it sounds like you're describing shouldn't be possible (you can't set cookies across domains) so I'm sure I'm misunderstanding something.

If you're trying to send data across sites then posting it, which works, would be the way to do it. Why do you need to use a session?

Link to comment
Share on other sites

Would be difficult to convert everything from session to post.  The immediate problem is an imagepng script that generates a random 8 digit string, having no luck extracting the string or posting it.

 

Is there any way to paste text into this editor?  The paste button doesn't work.

Link to comment
Share on other sites

Just paste. You know. Normally. Ctrl+V. Right-click menu. Make sure you're using the Code button for it, or [code] tags.

 

The session isn't a great place to store random generated data. It's easy for one value to get overwritten with another before it has a chance to be used.

Link to comment
Share on other sites

Duh, I can't paste anything normally, that's why I asked.   Quote doesn't work either (but smileys do :tease-03:). 

 

Bearing in mind that it works fine in IE11, and that I've been using variations of this script for years within same domain, no session problems.  No variables are being passed between iframe and parent, three files are used inside iframe, all at same domain.  First file creates imagepng that's displayed by second file, and generates session variable that's passed to third file.  Second file is keypad that generates half dozen or so variables that are passed to third file.  For reasons unknown, FF is blocking the session data as third party cookies, which they're not.  Test script I wrote is dirt simple, and replicates the problem exactly.  I'd post it if I could copy/paste.  (If I had some ham, I'd make ham & eggs, if I had some eggs.)

Link to comment
Share on other sites

Bearing in mind that it works fine in IE11,

You mean the browser that's historically done all sorts of weird and wrong things when it comes to implementing internet standards? The one that's always been behind on adopting best standards that all the other browsers use?

 

For reasons unknown, FF is blocking the session data as third party cookies, which they're not.

It doesn't necessarily matter what the cookie represents: if it's a third-party cookie then it gets blocked. Because Firefox was told to do so, mind you.

 

I'd post it if I could copy/paste.

I don't know how this site could be preventing you from using basic clipboard operations. I don't remember anyone else saying they've had problems.

 

 

I still don't get how you have multiple "files" in one iframe. An iframe can only show one URL at a time. Maybe that example is the only way I'll be able to make sense of this.

Link to comment
Share on other sites

Go to www.thekrashsite.com, click 'Register', scroll down to 'Verification', the keypad is what I'm working on.  This is the standalone version, all files are in same domain.  Been using it for years, works fine in most browsers (afaik it's never not worked for anyone who's registered on my forums or a few other forums I've installed it on).  Keypad is running in iframe so it can refresh itself without reloading entire page.  What I'm trying to do is install the keypad on client forums without giving them the core code.  The registration template in client domain (call it domain2) loads the keypad from thekrashsite.  Everything you see is contained in files that run in the iframe.  When correct code is entered, keypad posts verification data back to domain2, registration source code completes or rejects registration.  Until the final step, everything happens within the iframe, same session.  IIRC, iframe and parent frame run different sessions (same as different tabs), but no data is being passed between frames, so that shouldn't be a problem.  FF is seeing a third party, which I don't believe happened in earlier versions. 

Link to comment
Share on other sites

Ok, I can copy/paste with FF.  Here's the test code -

 

testif.php

<?php

session_start();

echo '
<iframe src="http://www.thekrashsite.com/smf20/test1.php" style="width: 400px; height: 200px; border: 3px red solid; border-radius: 10px; background: #ffffff; overflow: hidden;"></iframe>';

?>

test1.php

<?php

session_start();

$postCode = 'post';
$sessCode = 'session';
$_SESSION['sessCode'] = $sessCode;

echo '
test1.php - source values<br /><br />
$_SESSION[\'sessCode\'] = '. $_SESSION['sessCode'] .'
<br />
$_POST[\'postCode\'] = '. $postCode .'
<br /><br />
<form action="http://www.thekrashsite.com/smf20/test2.php" method="post">
<input type="hidden" name="postCode" value="'. $postCode .'">
<input type="submit" value="Submit">
</form>';

?>

test2.php

<?php

session_start();

echo '
test2.php - target values<br /><br />
$_SESSION[\'sessCode\'] = '. $_SESSION['sessCode'] .'
<br />
$_POST[\'postCode\'] = '. $_POST['postCode'] .'
<br /><br />';

?>

You should be able to run testif.php from your server, it will load test1.php from the krashsite, displays initial values, click 'Submit', that goes to test2.php on thekrashsite.  In IE, session and post values are displayed, in FF only post value arrives, session value is lost.

Link to comment
Share on other sites

Okay, then it's clearly Firefox blocking third-party cookies. There are two types of solutions to this and which one you uses depends on the circumstances.

 

What's the nature of the page containing this iframe? What's the nature of the pages you're having in the iframe?

Link to comment
Share on other sites

Working with a script that consists of multiple files running in an iframe.  If all files are local, and parent and iframe are in same domain, works fine.  If iframe is loaded from different parent domain, works in IE11, but in FF58 all session variables are lost.  Not trying to pass variables between parent and iframe, everything happens in iframe.  Object is to install app on client sires, but keep core code on my server for security purposes and to facilitate upgrades.

Just completely wrongheaded wonky approach. The robust solution is to provide an API, usually RESTful these days.

Link to comment
Share on other sites

What's the nature of the page containing this iframe? What's the nature of the pages you're having in the iframe?

 

If you look at the link, the parent frame is the registration template, the iframe contains the keypad verification code.  Could I eliminate the iframe and place the keypad in the reg template?  Had looked at that early on, it caused problems and works much better in iframe.

 

Just completely wrongheaded wonky approach. The robust solution is to provide an API, usually RESTful these days.

 

I'm sure you're right, but I have working code that I've been using for years, and am disinclined to rebuild the thing from scratch.  It should work fine if I can get around the session glitch.

Link to comment
Share on other sites

It's not a "glitch". It's security.

 

You've basically just implemented CAPTCHA. If you don't want to have to rewrite stuff then switch to using reCAPTCHA.

 

edit: Besides that, the API is the way to go. Host site pings the API for information, API returns what it needs to do for the CAPTCHA, user fills out form (including iframe), site checks with API to see if they filled out the right information and/or to get that information back.

Link to comment
Share on other sites

I've worked around most of it, just one question remains.  How to I get $string out of this without using $_SESSION -

<?php session_start();

ob_start();

function imgsecuregen($size = 6){

$width = 11*$size;
$height = 17;

$string = "";
for($i = 1; $i <= $size; $i++){
$string .= rand (0,9)."";
} 

$im = ImageCreate($width, $height);
$bg = imagecolorallocate($im, 102, 102, 102);
$black = imagecolorallocate($im, 0, 255, 0);
$grey = imagecolorallocate($im, 102, 102, 102);
imagerectangle($im,0, 0, $width-1, $height-1, $grey);
imagestring($im, 5, $size, 0, $string, $black);
imagepng($im);

header('Content-type: image/png');
imagepng($im);

$_SESSION['ImgString'] = $string;

imagedestroy($im);
}

imgsecuregen(;

?>
Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.