Facebook iFrame canvas app PHP sessions issue

Question

I've been working on a problem for the last day and a half now and have still yet to find a solution.

When visitng my game on facebook (which is in facebook's iFrame) php sessions don't work. This is for IE and Safari. Chrome works fine.

I've already read all the posts on stack about this problem, which seems to be down to third party cookie security and needing interaction with the iFrame first. There was a workaround by making javascript post some form data to the iFrame first, but this seems to have been 'fixed' in the latest versions of the browsers very recently as this no longer works.

I even tried implementing a start page that would require them to click a link first (in the iFrame) to load another page which would then create the session. But even THAT doesn't work.

I'm also having trouble even loading new pages in the iFrame using javascript, which seems to always cause infinite loop refreshes.

And no, P3P headers do NOT solve it.

Does anyone have a solution to this problem? I can't be the only one with it, considering how many facebook apps exist!

Answer 1

I came across this problem using a client that had "Accept third party cookies" disabled. My solution was to force PHP to embed the session ID into the URI by putting this line at the start of each page:

ini_set('session.use_trans_sid', true);

As the URLs are in iframe within Facebook the SID is not seen in the top window.

Answer 2

For IE, you will need the P3P Headers set. Something like:

<?php header('P3P: CP="CAO PSA OUR"'); ?>

Safari blocks 3rd-party cookies by default. Currently, the only work-around that is working for me is to "pop-up" a new window to set the cookies. I have something like this:

<script type="text/javascript">
    function safariFix(){
        if (navigator.userAgent.indexOf('Safari') != -1 && navigator.userAgent.indexOf('Chrome') == -1){
            window.open('https://yourdomainname.com/safari.php', 'Safari Fix','width=100,height=100');
        }
    }
</script>

And safari.php will have this:

<?php 
setcookie("safari_test", "1");
?>
<!DOCTYPE html>
<html lang="en">
    <head>
        <title>Safari Fix</title>
        <script src="//ajax.googleapis.com/ajax/libs/jquery/1.6.2/jquery.min.js"></script> 
    </head>
    <script type="text/javascript">
    $(document).ready(function(){
        window.close();
    });
    </script>
    <body>
        Since Safari does not accept third-party cookies by default, we are forced to open this window.
        This window will automatically close once we have set the cookies.
    </body>
</html>

PROBLEM: This won't work if users have "block pop-ups" enabled in Safari. If anyone has a better solution for this, inform me ;)