rogerOlofsson
asked on
Session variables vanishes when using iframes between different domains.
I have a web application that uses ASP and session variables running on a server A. Another company would now like to incorporate this application in their website by using an iframe. This is although not working since it appears that the session variables are lost when reloading the application (you walk through different steps). I've understood that this might have something to do with security settings in ie, but I haven't managed to find any suggestion on how to solve this (if it's possible, which I really hope)
Example A (not working):
<iframe name=a id=a src="http://www.host.com/application/" height="100" width="100" frameborder="" scrolling="auto" runat=server></iframe>
Example B (working):
<iframe name=a id=a src="http://localhost/application/" height="100" width="100" frameborder="" scrolling="auto" runat=server></iframe>
Sincerely yours,
Roger
Example A (not working):
<iframe name=a id=a src="http://www.host.com/application/" height="100" width="100" frameborder="" scrolling="auto" runat=server></iframe>
Example B (working):
<iframe name=a id=a src="http://localhost/application/" height="100" width="100" frameborder="" scrolling="auto" runat=server></iframe>
Sincerely yours,
Roger
Deepak Vasudevan
/application from localhost is treated as if it is a different server from that of www.host.com, even if host.com is the DNS Name of the same system.
ASKER
And how should I solve the problem? It works when I run it on localhost, but not when running the iframe at www.hostA.com linking the iframe source to www.hostB.com.
Best regards,
Roger
Best regards,
Roger
Well, there are 2 issues here. One is the site translation from www.site.com to simply site.com -- that is fixed by the features running on the webserver and the host provider. That needs to be fixed first to where www.site.com = = http://site.com. Once you get that fixed you can go on to itme #2 --
There is NO difference between a iframe and the main webpage, we run carts all the time in an iframe (in fact, it is the best way to run a shopping cart), and I cannot vouch for ASP, I use PHP exclusively, and it works like a charm in iframes. SO all you do is load the cart in the iframe, like so --
<A=href="cart.php" target = "iframe-name"> add to cart </A>
and it works flawlessly. As said , I cannot speak for ASP, but PHP works without a problem...
There is NO difference between a iframe and the main webpage, we run carts all the time in an iframe (in fact, it is the best way to run a shopping cart), and I cannot vouch for ASP, I use PHP exclusively, and it works like a charm in iframes. SO all you do is load the cart in the iframe, like so --
<A=href="cart.php" target = "iframe-name"> add to cart </A>
and it works flawlessly. As said , I cannot speak for ASP, but PHP works without a problem...
The session variable has an ID stamp for the machine, server and session it was created on. It is not transferable...
As it was created on Localhost, example B works, as it is also localhost who is hosting the remote source for the IFrame.
There is no quick solution as it would be yet another security hole if these session Variables were transferable. The obnly solution open to you is to create the session variable on the remote source, to be used only by the remote source, or better still work out a way to run the remote source without using the session var. Use a querystring instead...
Aplimedia
As it was created on Localhost, example B works, as it is also localhost who is hosting the remote source for the IFrame.
There is no quick solution as it would be yet another security hole if these session Variables were transferable. The obnly solution open to you is to create the session variable on the remote source, to be used only by the remote source, or better still work out a way to run the remote source without using the session var. Use a querystring instead...
Aplimedia
ASKER
Hmm,
thanks aplimedia, I think I start to realize where the problem is. But I really dont understand why any session variables have to be transferred. On the webpage that the user comes into, there is some texts and a central iframe linked to our server. Shouldn't the iframe act as just a new web browser window (like if I open up a new window with the same url). In this case there is no interaction between the page outside the iframe and the content inside the iframe.
Roger
thanks aplimedia, I think I start to realize where the problem is. But I really dont understand why any session variables have to be transferred. On the webpage that the user comes into, there is some texts and a central iframe linked to our server. Shouldn't the iframe act as just a new web browser window (like if I open up a new window with the same url). In this case there is no interaction between the page outside the iframe and the content inside the iframe.
Roger
There are specific properties security policies governing IFrames. You are right, in that the Iframe behave just like another browser window. The point, however, is that the session variable created in one site cannot be acted upon by another site. If we could, this would cause a serious security problem.
Let me explain...
We create hundreds of web sites which are dynamic and all have exactly the same control panel. The user logs in and is taken to the main admin section 'CentrarControl.asp'. On successfull login a session var is created (for example) Session("Logged") = True. On top of all the pages in the control panel, including the main admin we could have...
If Not Session("Logged") then
Session.Abandon ' Kill everything
Response.redirect("UnAutho
response.end()
End If
If session vars could behave as you suggest, then a user could log into their site and having created the session var ,Session("Logged") then point their browser to another sites control panel and deface it. However, even thought the session var has been created it can only be actioned from within the Site root of the site which created it.
Your Iframe is outside of this site root... therfore is cannot see the session var.
I hope I am not confusing you even more...
Aplimedia
Let me explain...
We create hundreds of web sites which are dynamic and all have exactly the same control panel. The user logs in and is taken to the main admin section 'CentrarControl.asp'. On successfull login a session var is created (for example) Session("Logged") = True. On top of all the pages in the control panel, including the main admin we could have...
If Not Session("Logged") then
Session.Abandon ' Kill everything
Response.redirect("UnAutho
response.end()
End If
If session vars could behave as you suggest, then a user could log into their site and having created the session var ,Session("Logged") then point their browser to another sites control panel and deface it. However, even thought the session var has been created it can only be actioned from within the Site root of the site which created it.
Your Iframe is outside of this site root... therfore is cannot see the session var.
I hope I am not confusing you even more...
Aplimedia
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.