Access cookies from remote iframe Options

[joyful]

Hello,

So let's say I have a website called a.com and a.com provides a service in an iframe. Then, I take the iframe (which points to a.com) and I put onto another website called b.com—which is on a different server. Can I access the cookies that are set on a.com from the iframe on b.com? I have tried this and had no luck. Is there a way to do this? I am using PHP; I don't mind if I use $_COOKIE or $_SESSION, however is there a way to get the cookies inside the a.com iframe on b.com using either of those methods?

Sorry if that is confusing.

Thanks in advance!
--

[Christian J]

So let's say I have a website called a.com and a.com provides a service in an iframe.

Is the framed page hosted by the a.com domain as well?

Then, I take the iframe (which points to a.com) and I put onto another website called b.com—which is on a different server.

Not sure I understood. What are you moving, the framed page or the IFRAME element?

I guess a framed page should be able to handle cookies regardless of who's framing it, but a parent page (with the IFRAME element) must be on the same domain as the framed page in order to share cookies.

[joyful]

So let's say I have a website called a.com and a.com provides a service in an iframe.

Is the framed page hosted by the a.com domain as well?

Yes, the framed page is hosted on a.com.

Then, I take the iframe (which points to a.com) and I put onto another website called b.com—which is on a different server.

Not sure I understood. What are you moving, the framed page or the IFRAME element?

I am moving the iframe element.

Basically, I allow users to login on a.com (which sets a cookie). Then, when a user visits b.com, I want the user to still be longed in inside an a.com iframe (embedded in b.com).

[Christian J]

That's not possible with cookies. A cookie is always limited to its own domain for security reasons.

[joyful]

That's not possible with cookies. A cookie is always limited to its own domain for security reasons.

Sorry if this is a dump question, but, in php, what is the difference between $_SESSION and $_COOKIE in terms of how it is stored. Are they both cookies? Would both of them not work for what I am trying to do?

Also, if these methods do not work, how to sites like FaceBook access your login in details in there plugin's iframes (like box, comment box, etc.)?

Thanks a lot for your help!

This post has been edited by joyful: Jan 12 2013, 06:27 PM

[Christian J]

in php, what is the difference between $_SESSION and $_COOKIE in terms of how it is stored. Are they both cookies? Would both of them not work for what I am trying to do?

A session can be stored either as a cookie or as a URL querystring.

how to sites like FaceBook access your login in details in there plugin's iframes (like box, comment box, etc.)?

My guess is that the framed page is hosted by FB, and all the user interaction (likes and commenting) is done within this framed page (and not on the various parent pages across the web that frame the FB page).

[Christian J]

Maybe OpenId could be useful, but I don't know how it works: http://en.wikipedia.org/wiki/Openid

[pandy]

That's not possible with cookies. A cookie is always limited to its own domain for security reasons.

But it is the same domain. He logs in at a.com and then goes to b.com where a page from a.com is showed in an iframe.

[joyful]

That's not possible with cookies. A cookie is always limited to its own domain for security reasons.

But it is the same domain. He logs in at a.com and then goes to b.com where a page from a.com is showed in an iframe.

Yes, that is correct Pandy. Can I access the cookies from the iframe because, technically, it is the same domain?

[Christian J]

That's not possible with cookies. A cookie is always limited to its own domain for security reasons.

But it is the same domain. He logs in at a.com and then goes to b.com where a page from a.com is showed in an iframe.

The page in the iframe is no problem. But the parent page b.com doesn't have access to the cookie from a.com.

[joyful]

That's not possible with cookies. A cookie is always limited to its own domain for security reasons.

But it is the same domain. He logs in at a.com and then goes to b.com where a page from a.com is showed in an iframe.

The page in the iframe is no problem. But the parent page b.com doesn't have access to the cookie from a.com.

So far, I have encountered issues doing this. (trying to access cookies set on a.com inside a.com iframe on b.com) However I will try it again.

[pandy]

From WHERE have you tried to read the cookie? a.com or b.com?

[Christian J]

(trying to access cookies set on a.com inside a.com iframe on b.com)

I think your terminology may cause misunderstandings. An IFRAME is an HTML element, and in the quote above it's part of the parent (framing) page b.com. The IFRAME element of b.com may in turn load a framed page from a.com.

[joyful]

(trying to access cookies set on a.com inside a.com iframe on b.com)

I think your terminology may cause misunderstandings. An IFRAME is an HTML element, and in the quote above it's part of the parent (framing) page b.com. The IFRAME element of b.com may in turn load a framed page from a.com.

Yes, sorry for the confusion.

Basically, I have an app hosted on a.com. This app allows you to login on a.com (the main site), or inside the app. This app can go anywhere on the web. I want anyone with a website to be able to use it (via an iFrame). I also want them to be able to access their profiles on it. So, I want the framed page (inside the iframe) to access the cookies from its same domain.

I believe this should be possible—as it is the same domain (just one of the pages is framed)—however I have had trouble doing this. For some reason I find that the iframe gets the cookies of the 3rd party site (the site that is using the app), not the domain that it is on (the framed page). I don't understand why this is.

[Christian J]

For some reason I find that the iframe gets the cookies of the 3rd party site (the site that is using the app), not the domain that it is on (the framed page). I don't understand why this is.

That sounds strange. If you're correct it's a security hole in the browser.

Can you show us some sample code illustrating this (preferably a minimal test script)?

[joyful]

For some reason I find that the iframe gets the cookies of the 3rd party site (the site that is using the app), not the domain that it is on (the framed page). I don't understand why this is.

That sounds strange. If you're correct it's a security hole in the browser.

Can you show us some sample code illustrating this (preferably a minimal test script)?

Hey Christian and Pandy,

Sorry that I dropped this topic for awhile, I have been really busy over the past few weeks.

I believe the issue I am encountering is not due to the cookies in the iframe, but, instead, it is due to the fact that the framed webpage is on a different domain than the main website.

The reason I have the framed content on a different domain, is that I want the framed webpage to be ssl (https). I have a website, lets say mysite.com, which is not https. However, my host offers a free ssl connection to my root directory. So, I can access the content of mysite.com via https by go going to something like: https://myusername.myhost.com/mysite/

So basically, I have http://mywebsite.com (not https) where users can login, edit things, etc. Then, anywhere that my plugin is on the web, users view my framed webpage which is at: https://myusername.myhost.com/mysite/

Obviously, both of these domains are on the same server. Is there some way I can allow cookies set on the main http domain, to be accessed via the https host subdomain, and vice versa?

Thanks a lot!
--Joyful

[pandy]

No.

[joyful]

Ok, so there is no way to do this? I must buy ssl for my main domain? The problem is that my host only allows their ssl, and it is way over priced.

If I am going to have content on other people's websites, do you think it is important to use ssl? I have heard that if an iframe does not have an ssl connection, users may be prompted that there is "an unsecured connection" or something of that nature; is this true?

Thanks!
--Joyful

This post has been edited by joyful: Feb 12 2013, 11:28 PM

[pandy]

I don't know because I'm totally lost about what document is on what domain. I meant no, you can't change the restrictions about cookies.

[joyful]

I don't know because I'm totally lost about what document is on what domain. I meant no, you can't change the restrictions about cookies.

Ok, sorry for the confusion.

So, basically, I have a main company website, lets call it http://company.com, which can not be accessed via https.

Then, on other websites across the web, my web app which is offered by my company, is framed in an iframe. The framed webpage is located at https://companyusername.myhost.com/company. The framed page is located at this domain in order to get ssl (which I don't have on the main domain company.com).

On both of the above domains (on both the company website and on the framed app in the iframe any where on the web) I would like users to be able to login, or, if they are already logged in, I want them to remain logged in on both domains. I want both places (domains) to have access to the user (their cookie).

I hope that makes a little more sense. Do you think I should just move everything to http://company.com? Is it important to have https for framed content on 3rd party websites?

Thanks!

This post has been edited by joyful: Feb 13 2013, 02:47 AM