?
Solved

Losing session variable when using iframe

Posted on 2006-06-07
17
Medium Priority
?
1,357 Views
Last Modified: 2013-12-24
Hello Experts,

I have the following issue:

I have a login page which adds the user's username as a value in “session.mm_username”.

When I run my website in an <iframe>, I keep loosing the “session.mm_username” session.  However, when I run the same page outside of the session (directly on the browser’s address bar), everything works fine and I don’t lose my session.

I checked my code everywhere I don’t know what is causing this.  Any ideas?

By the way, I’m using IE 6.0.

Thanks!

Anthony
0
Comment
Question by:aescribens
  • 7
  • 5
  • 2
  • +1
16 Comments
 
LVL 18

Expert Comment

by:Plucka
ID: 16857670
aescribens,

You need to do two things to keep the session variable.

1. Make sure it's on the same domain
2. Pass to the iframe the CFID & CFTOKEN

Regards
Plucka
0
 
LVL 12

Expert Comment

by:mmc98dl1
ID: 16857778
IE 6 has a security thing where if the cookie was set in the parent frame it wont get passed into the iframe. as plucka says make sure they are on the same domain (including subdomain) and this should help solve the problem.

What does your app.cfm say on your <cfapplication line?
0
 
LVL 1

Author Comment

by:aescribens
ID: 16858124
Plucka,

My coldfusion site is actually getting called from another website on a different domain using <iframe>.  What I've done and seems to resolve this issue is the following:

I'm sending the username value along with the URL (page.cfm?user=<cfoutput>#session.mm_username#</cfoutput>) or FORM (using a hidden field) and resetting the "session.mm_username" on page load.

This seems to be working fine but can you suggest a better way to resolve this?

Regards,

Anthony
0
New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

 
LVL 7

Expert Comment

by:ExpertAdmin
ID: 16862083
Are the domains hosted on different machines? If so, there isn't much you can do other than pass it. That isn't very desirable from a security standpoint though.

You may be able to change the way you are processing the remote page by using a CFHTTP tag to import the contents of the page into your page. This would eliminate the need for an IFRAME and would put the call to the page (and the passed parameter) completely server-side, thus reducing your secuirty risk. I have done this before and it works very well.

M@
0
 
LVL 1

Author Comment

by:aescribens
ID: 16862979
Yes, there are two different machines with two different domains as following:

Machine 1 / Domain 1- None Coldfusion Server calling web content from Machine 2 / Domain 2.
Machine 2 / Domain 2- Coldfusion Server hosting content.

So the CFHTTP tag would have to be used on Machine 1, which I don't think will work since Machine 1 doesn't have coldfusion installed.  Is this what you were referring to?

Thanks,

Anthony
0
 
LVL 7

Accepted Solution

by:
ExpertAdmin earned 750 total points
ID: 16863093
Yes, it is. In that case your only choice (that I can see) is to pass the value in the URL or in a hidden input.

M@
0
 
LVL 18

Assisted Solution

by:Plucka
Plucka earned 750 total points
ID: 16866097
Using url's or hidden form fields is the only way.

Without CF on both servers there is not a lot else you can do.
0
 
LVL 12

Expert Comment

by:mmc98dl1
ID: 16866578
you could look at serialising the data with wddx, and passing it that way, but you would need to be using something on the other end that will parse the wddx packet. check out cfwddx in the docs.
0
 
LVL 1

Author Comment

by:aescribens
ID: 16884985
mmc98dl1,

Thanks for the suggestion, I've looked into it and it's not really what I need to accomplish with this; I will however use it for another part of my development.  Using the form and url submissions seems to be working fine so I'll stick with it for now.

-----------------------------------------------------------------------------------------------

Thank you all for your input, but I'm afraid I've resolved my own issue on this one.

Regards,

Anthony
0
 
LVL 1

Author Comment

by:aescribens
ID: 17051560
Hello,

Sorry, I didn't mean to abandon this question.  I found the solution to my own question on "06/07/2006 06:58PM PDT".  So I'm not awarding any points for this question.  Please let me know if anyone diagrees.

Regards,

Anthony
0
 
LVL 7

Expert Comment

by:ExpertAdmin
ID: 17051985
No objections here. But it would be nice if you can post your final solution so that when someone searches for the answer to the same problem they will see how it was fixed.

Thanks,

M@
0
 
LVL 1

Author Comment

by:aescribens
ID: 17052010
My final solution is as follows:

I'm sending the username value along with the URL (page.cfm?user=<cfoutput>#session.mm_username#</cfoutput>) or FORM (using a hidden field) and resetting the "session.mm_username" variable on page load.

I have been using this for the past month now and it seems to be working fine.

Regards,

Anthony
0
 
LVL 7

Expert Comment

by:ExpertAdmin
ID: 17052170
How is that different than what I suggested?

"Yes, it is. In that case your only choice (that I can see) is to pass the value in the URL or in a hidden input."

In this case I would think that a points award would be appropriate. I will let the moderator make that decision.

M@
0
 
LVL 1

Author Comment

by:aescribens
ID: 17054718
M@,

Your suggestion came after my comment, you answered with the same solution that I had already found and suggested (see above).  But I'll also let the moderator make the decision on awarding the points or not.

Regards,

Anthony
0
 
LVL 7

Expert Comment

by:ExpertAdmin
ID: 17055243
Oh...OK. I see that. No problem. Moderator - Please refund the points to aescribens.

M@
0
 
LVL 1

Author Comment

by:aescribens
ID: 17063088
M@,

I haven't heard back from the moderator and I'm not going to be picky about this.  Thanks for your time in answering my question, I'm splitting the points between you and plucka based on the responses received.

Regards,

Anthony
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A web service (http://en.wikipedia.org/wiki/Web_service) is a software related technology that facilitates machine-to-machine interaction over a network. This article helps beginners in creating and consuming a web service using the ColdFusion Ma…
Periodically we have to update or add SSL certificates for customers. Depending upon your hosting plan you may be responsible for the installation and/or key generation. In the wake of Heartbleed many sites were forced to re-key. We will concen…
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
Integration Management Part 2

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question