django Sessions are not maintaing in an iframe

Question

I am creating a conversational chatbot using django . And To maintain the flow of the chat in chatbot , i am using django sessions . But when i use the link of the chatbot in an iframe , it doesn't store any of the session and flow breaks down. I want a function that will help to maintain the sessions even in the iframe.

For for Iframe

<html>
<head></head>
<body>
<embed style=" width: 384px; height: 525px; margin-right: 0px !important; bottom: 0px; float: right; position: absolute; bottom: 30px; width: 100%;" frameborder="0" scrolling="no" id="iframe" src="http://*********.com/********/*******.html">


</body>
</html>

Code For maintaining sessions

@staticmethod
    def extract_data(request, input_data):
        from chat import validations
        if 'city' not in request.session:
            response_data = {'extra': {}, 'data': {}}
            response_data['extra']['statement'] = 'Select Car Model which you like to rent?'
            response_data['extra']['type'] = 'carmodel'
            response_data['data'] = Cars.city_check(request,response_data, input_data)

        elif 'veh_name' not in request.session:

            response_data = Cars.veh_name_check(request, input_data)

        elif 'days' not in request.session:
            response_data = validations.days_check(request, input_data)

        elif 'phone' not in request.session:
            response_data = validations.phone_check(request, input_data)

        elif 'email' not in request.session:

            response_data = validations.mail_check(request, input_data)

        elif 'name' not in request.session:
            response_data = validations.name_check(request, input_data, 'Car')

        return response_data

Answer 1

To allow cookies from an iframe, you have to set your cookie using SameSite=None and Secure options.

Set-Cookie: session=your_session; SameSite=None; Secure 

Source: https://medium.com/trabe/cookies-and-iframes-f7cca58b3b9e

To do this with Django, you'll have to update the following settings:

• SESSION_COOKIE_SAMESITE
• SESSION_COOKIE_SECURE

SESSION_COOKIE_SAMESITE = 'None'  # As a string
SESSION_COOKIE_SECURE = True

Unfortunately, 'None' value for SESSION_COOKIE_SAMESITE is only available since Django 3.1 and there is no plan to backport it in 3.0 and 2.2.

Also note that your website has to be served over HTTPS.

Answer 2

This has little to do with django. Browsers are currently paranoid about giving frames/embeds access to cookies, even when they are the source of the cookie. In addition, many users block third-party cookies (which usually includes frame cookies), or all cookies. You could embed a session id in the frame source, as this answer suggests, with the session id generated (either completely random or from cookie) by django template or client-side javascript on the page that contains the frame which might have access to the cookie.

You may also want to look into dropping the embed/frame entirely in favor of a django include block, which inserts the chat content window into the containing page as a div or similar, therefor giving greater access to cookies or other session variables. In this case I'd separate the javascript from the html and put the js script tag in the head.

As a last-ditch shot, you could replace the dependency on cookies with a combination of the client's public ip and user-agent, and maybe the containing-pages URI (in the case of a template).

Edit With regard to security: (after a comment by @EthanKeller)

Browsers try to protect frames from main content and vice versa. It all depends on rather either contains any sensitive info. If so, then I suggest separating them by putting the frame in it's own window/tab, potentially via popup call. In the case of a chatbot, however, I doubt there is anything all that sensitive. Dealer's choice.