• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 611
  • Last Modified:

Session variables vanishes when using iframes between different domains.

I have a web application that uses ASP and session variables running on a server A. Another company would now like to incorporate this application in their website by using an iframe. This is although not working since it appears that the session variables are lost when reloading the application (you walk through different steps). I've understood that this might have something to do with security settings in ie, but I haven't managed to find any suggestion on how to solve this (if it's possible, which I really hope)

Example A (not working):
<iframe name=a id=a src="http://www.host.com/application/" height="100" width="100" frameborder="" scrolling="auto" runat=server></iframe>

Example B (working):
<iframe name=a id=a src="http://localhost/application/" height="100" width="100" frameborder="" scrolling="auto" runat=server></iframe>

Sincerely yours,

1 Solution
/application from localhost is treated as if it is a different server from that of www.host.com, even if host.com is the DNS Name of the same system.

rogerOlofssonAuthor Commented:
And how should I solve the problem? It works when I run it on localhost, but not when running the iframe at www.hostA.com linking the iframe source to www.hostB.com.

Best regards,

Well, there are 2 issues here.  One is the site translation from www.site.com to simply site.com -- that is fixed by the features running on the webserver and the host provider.  That needs to be fixed first to where www.site.com = = http://site.com.  Once you get that fixed you can go on to itme #2 --

There is NO difference between a iframe and the main webpage, we run carts all the time in an iframe (in fact, it is the best way to run a shopping cart), and I cannot vouch for ASP, I use PHP exclusively, and it works like a charm in iframes.  SO all you do is load the cart in the iframe, like so --

<A=href="cart.php" target = "iframe-name"> add to cart </A>

and it works flawlessly.  As said , I cannot speak for ASP, but PHP works without a problem...
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

The session variable has an ID stamp for the machine, server and session it was created on. It is not transferable...

As it was created on Localhost, example B works, as it is also localhost who is hosting the remote source for the IFrame.

There is no quick solution as it would be yet another security hole if these session Variables were transferable. The obnly solution open to you is to create the session variable on the remote source, to be used only by the remote source, or better still work out a way to run the remote source without using the session var. Use a querystring instead...

rogerOlofssonAuthor Commented:

thanks aplimedia, I think I start to realize where the problem is. But I really dont understand why any session variables have to be transferred. On the webpage that the user comes into, there is some texts and a central iframe linked to our server. Shouldn't the iframe act as just a new web browser window (like if I open up a new window with the same url). In this case there is no interaction between the page outside the iframe and the content inside the iframe.

There are specific properties security policies governing IFrames. You are right, in that the Iframe behave just like another browser window. The point, however, is that the session variable created in one site cannot be acted upon by another site. If we could, this would cause a serious security problem.

Let me explain...

We create hundreds of web sites which are dynamic and all have exactly the same control panel. The user logs in and is taken to the main admin section 'CentrarControl.asp'. On successfull login a session var is created (for example)  Session("Logged") = True. On top of all the pages in the control panel, including the main admin we could have...

If Not Session("Logged") then
Session.Abandon ' Kill everything
Response.redirect("UnAuthorised.html") 'get kicked out....
End If

If session vars could behave as you suggest, then a user could log into their site and having created the session var ,Session("Logged")  then point  their browser to another sites control panel and deface it. However, even thought the session var has been created it can only be actioned from within the Site root of the site which created it.

Your Iframe is outside of this site root... therfore is cannot see the session var.

I hope I am not confusing you even more...

What you could do is pass the Iframe the value of the session Variable in a Querystring... like this.

<iframe width="100%" height="100%" src="YourTargetPage.asp?<%=Session("MyVariable")%>">
<body CLASS="Page_bg">

On 'YourTargetPage.asp' simply reContruct the session variable within the other site... like this.

Session("MyVariable") = Request.QueryString

hope this helps.


Featured Post

Become an Android App Developer

Ready to kick start your career in 2018? Learn how to build an Android app in January’s Course of the Month and open the door to new opportunities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now