Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Problem setting PHP SESSION variables within cross-domain iframe

Coles Notes version:

index.php?map_id=foo is loaded into iframe on www.not-my-domain.com. index sets SESSION['map_id'] = foo. Flash file tries to get SESSION['map_id'] thru Authenticate.php, but Authenticate.php has no values set for any SESSION varaibles.

-- Only first-load, cross domain issue.

Verbose:

I have an index while where I set: SESSION['map_id'] = foo

The index file then loads a flash file. When initialized, the flash accesses an 'Authenticate.php' file which echo's out the SESSION['map_id'] and is loaded into flash via LoadVars. Flash then displays the appropriate data. This step cannot be done another way

This all works just fine on our main site. The issue comes when we try to port out to other sites by providing iframe embed codes:

<iframe src="http://www.mydomain.com/?map_id=foo&code=bar" ... ></iframe>

On a fresh load of the embed code from another site (www.anotherdomain.com), it seems that the SESSION variables have been destroyed, as flash simply says they are empty. ( $map_id outputs a blank )

The index file will still properly echo $map_id as 'foo', it just seems the 'Authenticate.php' file cannot access the SESSION varaibles.

I have ensured session_start() is present in all appropriate files.

like image 745
sean.hudson Avatar asked Apr 30 '09 02:04

sean.hudson


People also ask

Does session work in iframe?

The session starts well on the second site when it is run live without the iframe. However, when it is called by the iframe, the session does not start.

Why session_start () is used in PHP?

session_start() creates a session or resumes the current one based on a session identifier passed via a GET or POST request, or passed via a cookie. When session_start() is called or when a session auto starts, PHP will call the open and read session save handlers.

What is PHP session_start () and Session_destroy () function?

session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. To use the session variables again, session_start() has to be called.

How can set session variable in PHP?

To set session variables, you can use the global array variable called $_SESSION[]. The server can then access these global variables until it terminates the session. Now that you know what a session is in PHP and how to start one, it's time to look at an example and see how it works.


1 Answers

PHP session ids are passed through cookies by default, but you can't transfer cookies across domains. Try passing the session id through the url instead.

Here is the appropriate page in the php documentation.

There are a few ways you can get php to pass the session id in the url if it's not being done automatically.

  1. You can manually pass the session id in the url (must come before other get variables):

    <iframe src="http://www.mydomain.com/?&map_id=foo&code=bar">

  2. You can disable cookies, forcing every request to have the session id automatically added to the url:

    ini_set("session.use_cookies","0");

  3. You can edit the url_rewriter.tags setting, which tells PHP which html tags to rewrite with the session id. Here, iframe=src has been added to the default set:

    ini_set("url_rewriter.tags", "a=href,area=href,frame=src,iframe=src,input=src,form=fakeentry");

like image 109
vamin Avatar answered Oct 27 '22 22:10

vamin