iFrame - Hide url and session is not working

Question

I have two domains in different servers. One page from the first server is having an iframe to point to the url in the other server. I can't manage to work with seesions.

iFrame page code(main.php):

<!DOCTYPE html>
<html>
<head>
    <base target="_parent">
</head>
<body>
    <iframe src="http://192.168.1.10/index.php"</iframe>
</body>
</html>

My iFrame page index.php has a simple log in system that start session. So, there is a button which load the following code(process.php):

<?php
session_start();
$_SESSION['valid'] = true;
$_SESSION['timeout'] = time();
header('location:catalogue.php');
?>

On my catalogue.php and on each page, i have the following session code(check.php):

<?php
session_start();
if (isset($_SERVER['HTTP_REFERER'])) {
    if ($_SERVER['HTTP_REFERER'] == "") {
        unset($_SESSION['valid']);
        unset($_SESSION['timeout']);
        header('location:index.php');
    }
} else {
    unset($_SESSION['valid']);
    unset($_SESSION['timeout']);
    header('location:index.php');
}
if (isset($_SESSION['valid'])) {
    $timeout = $_SESSION['timeout'];
    $time    = time();
    $t       = $time - $timeout;
    if ($t > 9000) { //15*60 = 900 Second, timeout to logout
        unset($_SESSION['valid']);
        unset($_SESSION['timeout']);
        header('location:index.php');
    } else {
        $_SESSION['timeout'] = time();
    }
} else {
    header('location:index.php');
}
?>

So i have the following:

           Button press                                On load it check session                 
             to log in                                 using check.php
index.php ==============> process.php ===============> catalogue.php

I am using iframe in order to hide the real url of my web app and more user friendly domain name.

My problems:

• is that every time i press the button in index.php to log in it redirect me to index.php and not to catalogue.php.
• can i hide/mask url in iframe from bots/spiders.
• any suggestion/idea for better setup is welcome.

** Update ** After some tests, i think the session is not starting(check.php). It is going to else at the bottom. I have public server and local server.

The main.php doesn't have any session code. Only the pages in the iframe have. The index.php doesn't have. If user press to log in to load the process.php(which start session) and redirect to catalogue.php. Catalogue.php and all pages of my app, have a code(check.php) for checking session.

Answer 1

I think your session is being blocked by SameSite by default cookies.

Treat cookies that don't specify a SameSite attribute as if they were SameSite=Lax. Sites must specify SameSite=None in order to enable third-party usage. – Mac, Windows, Linux, Chrome OS, Android

Try this to check my theory.

1. Go to chrome://flags/ thru your address bar
2. Find SameSite by default cookies
3. Disable the SameSite by default cookies flag