Session variables vanishes when using iframes between different domains.

Posted on 2006-06-01
Last Modified: 2011-10-03
I have a web application that uses ASP and session variables running on a server A. Another company would now like to incorporate this application in their website by using an iframe. This is although not working since it appears that the session variables are lost when reloading the application (you walk through different steps). I've understood that this might have something to do with security settings in ie, but I haven't managed to find any suggestion on how to solve this (if it's possible, which I really hope)

Example A (not working):
<iframe name=a id=a src="" height="100" width="100" frameborder="" scrolling="auto" runat=server></iframe>

Example B (working):
<iframe name=a id=a src="http://localhost/application/" height="100" width="100" frameborder="" scrolling="auto" runat=server></iframe>

Sincerely yours,

Question by:rogerOlofsson
    LVL 15

    Expert Comment

    /application from localhost is treated as if it is a different server from that of, even if is the DNS Name of the same system.


    Author Comment

    And how should I solve the problem? It works when I run it on localhost, but not when running the iframe at linking the iframe source to

    Best regards,

    LVL 44

    Expert Comment

    Well, there are 2 issues here.  One is the site translation from to simply -- that is fixed by the features running on the webserver and the host provider.  That needs to be fixed first to where = =  Once you get that fixed you can go on to itme #2 --

    There is NO difference between a iframe and the main webpage, we run carts all the time in an iframe (in fact, it is the best way to run a shopping cart), and I cannot vouch for ASP, I use PHP exclusively, and it works like a charm in iframes.  SO all you do is load the cart in the iframe, like so --

    <A=href="cart.php" target = "iframe-name"> add to cart </A>

    and it works flawlessly.  As said , I cannot speak for ASP, but PHP works without a problem...
    LVL 10

    Expert Comment

    The session variable has an ID stamp for the machine, server and session it was created on. It is not transferable...

    As it was created on Localhost, example B works, as it is also localhost who is hosting the remote source for the IFrame.

    There is no quick solution as it would be yet another security hole if these session Variables were transferable. The obnly solution open to you is to create the session variable on the remote source, to be used only by the remote source, or better still work out a way to run the remote source without using the session var. Use a querystring instead...


    Author Comment


    thanks aplimedia, I think I start to realize where the problem is. But I really dont understand why any session variables have to be transferred. On the webpage that the user comes into, there is some texts and a central iframe linked to our server. Shouldn't the iframe act as just a new web browser window (like if I open up a new window with the same url). In this case there is no interaction between the page outside the iframe and the content inside the iframe.

    LVL 10

    Expert Comment

    There are specific properties security policies governing IFrames. You are right, in that the Iframe behave just like another browser window. The point, however, is that the session variable created in one site cannot be acted upon by another site. If we could, this would cause a serious security problem.

    Let me explain...

    We create hundreds of web sites which are dynamic and all have exactly the same control panel. The user logs in and is taken to the main admin section 'CentrarControl.asp'. On successfull login a session var is created (for example)  Session("Logged") = True. On top of all the pages in the control panel, including the main admin we could have...

    If Not Session("Logged") then
    Session.Abandon ' Kill everything
    Response.redirect("UnAuthorised.html") 'get kicked out....
    End If

    If session vars could behave as you suggest, then a user could log into their site and having created the session var ,Session("Logged")  then point  their browser to another sites control panel and deface it. However, even thought the session var has been created it can only be actioned from within the Site root of the site which created it.

    Your Iframe is outside of this site root... therfore is cannot see the session var.

    I hope I am not confusing you even more...

    LVL 10

    Accepted Solution

    What you could do is pass the Iframe the value of the session Variable in a Querystring... like this.

    <iframe width="100%" height="100%" src="YourTargetPage.asp?<%=Session("MyVariable")%>">
    <body CLASS="Page_bg">

    On 'YourTargetPage.asp' simply reContruct the session variable within the other site... like this.

    Session("MyVariable") = Request.QueryString

    hope this helps.


    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    Building “do-it-yourself” web sites has become an epidemic. There are so many blogs, web sites and even books that "teach" you how to build your web site in a few extremely simple and easy steps. Building a web site has become easier than boiling an…
    Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
    Viewers will get an overview of the benefits and risks of using Bitcoin to accept payments. What Bitcoin is: Legality: Risks: Benefits: Which businesses are best suited?: Other things you should know: How to get started:
    This tutorial walks through the best practices in adding a local business to Google Maps including how to properly search for duplicates, marker placement, and inputing business details. Login to your Google Account, then search for "Google Mapmaker…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now