Facebook Iframe App with multiple pages in Safari Session Variables not persisting

Question

I have a facebook Iframe application with multiple PHP pages in it.

I have some links that point relatively to the files inside my "iframe folder".

Having some issues with session variables inside the iframe. I set some session variables but they do not persist from one page to another.

This does work on other browsers.

I've been reading that Safari does not support Cross-Domain cookies and this might be the problem , but im not sure how to fix this.

Any help?

Answer 1

I believe this solution has become obsolete with the latest (6.0 and later) versions of Safari.

Safari by default does not allow cookies to be set from third parties. This affects Facebook iframe applications because the user is accessing a page served from apps.facebook.com but the iframe is being served from yourdomain.com, the "third party" in this case.

There are several several solutions mentioned around the web. The best I've found and one recommended by Facebook in its list of miscellaneous issues is to fake a POST request to yourdomain.com using JQuery. This solution detailed by Anant Garg works in general for different host/iframe domains and needs to be adapted for Facebook apps. The key parts are:

$("body").append('
 <iframe id="sessionframe" name="sessionframe" onload="submitSessionForm()" src="http://www.yourdomain.com/blank.php" style="display:none;"></iframe>
 <form id="sessionform" enctype="application/x-www-form-urlencoded" 
   action="http://www.yourdomain.com/startsession.php"
   target="sessionframe" method="post"></form>');
var firstTimeSession = 0;
function submitSessionForm() {
  if (firstTimeSession == 0) {
    firstTimeSession = 1;
    $("#sessionform").submit();
  }
}

Another solution by Will Henderson is to instrument each link on your page with session information using a Javascript function. Then modify your server code to capture this session information by reading it from GET parameters.

Answer 2

I wrote the blog post Dominic refers to in his answer.

The problem is that the default behavior of Safari is to only accept cookies from sites that you visit. This excludes "third party" cookies. Safari treats the page inside an IFRAME as a third-party site, and until you interact with that content (by clicking a link, for example), it will refuse those cookies.

Your PHP code needs to set a cookie on the first page that uses the session in order for that session to persist from one page to another, but if the session variables are in the very first page in the IFRAME, you have a chicken-and-egg problem.

My solution is to retain all of the special Facebook parameters through to the second page loaded into the IFRAME. Because you've interacted with it, cookies set on the second page will persist, and this allows your PHP code to keep whatever state it needs to communicate back to Facebook.

This won't likely help your PHP session, though, so I suggest adding another parameter to links on the first page that allows the second page to look the session up, or otherwise recreate it.

Answer 3

I think the best solution is to manually keep track of the session ID i.e. by using session_id($_GET['session]); Just make sure you do this before calling session_start(); and everything works.