Problem setting PHP SESSION variables within cross-domain iframe
https://stackoverflow.com/questions/805136
-
03-07-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Coles Notes version:
index.php?map_id=foo is loaded into iframe on www.not-my-domain.com. index sets SESSION['map_id'] = foo. Flash file tries to get SESSION['map_id'] thru Authenticate.php, but Authenticate.php has no values set for any SESSION varaibles.
-- Only first-load, cross domain issue.
Verbose:
I have an index while where I set: SESSION['map_id'] = foo
The index file then loads a flash file. When initialized, the flash accesses an 'Authenticate.php' file which echo's out the SESSION['map_id'] and is loaded into flash via LoadVars. Flash then displays the appropriate data.
This step cannot be done another way
This all works just fine on our main site. The issue comes when we try to port out to other sites by providing iframe embed codes:
<iframe src="http://www.mydomain.com/?map_id=foo&code=bar" ... ></iframe>
On a fresh load of the embed code from another site (www.anotherdomain.com), it seems that the SESSION variables have been destroyed, as flash simply says they are empty. ( $map_id outputs a blank )
The index file will still properly echo $map_id as 'foo', it just seems the 'Authenticate.php' file cannot access the SESSION varaibles.
I have ensured session_start() is present in all appropriate files.
Solution
PHP session ids are passed through cookies by default, but you can't transfer cookies across domains. Try passing the session id through the url instead.
Here is the appropriate page in the php documentation.
There are a few ways you can get php to pass the session id in the url if it's not being done automatically.
You can manually pass the session id in the url (must come before other get variables):
<iframe src="http://www.mydomain.com/?&map_id=foo&code=bar">
You can disable cookies, forcing every request to have the session id automatically added to the url:
ini_set("session.use_cookies","0");
You can edit the url_rewriter.tags setting, which tells PHP which html tags to rewrite with the session id. Here, iframe=src has been added to the default set:
ini_set("url_rewriter.tags", "a=href,area=href,frame=src,iframe=src,input=src,form=fakeentry");
