11

I have a problem with setting cookies in an iframe (which loads a site from another domain).
On my site X.COM I load <iframe src='Y.COM'>

Y.COM tries to set cookies, but Safari blocks they, as this site was not visited before. So loading Y.COM fails because it can't work without cookies. Is there a way to solve this issue?

P.S. I cann't modify any data at Y.COM.

P.S.S. Also we can modify Safari's settings - "Accept cookies" = "Always", but it is not a solution for me - it seems to be impossible to lead every user to do it..

Mehul Mistri
  • 15,037
  • 14
  • 70
  • 94
Andrey Yanko
  • 166
  • 1
  • 1
  • 5
  • I think the point of blocking it is that it shouldn't work. Creating a workaround would be violating the users trust. – David Rönnqvist Oct 18 '12 at 08:59
  • So someone would go to your site and a page from you site would load a page on the other site AND it would transfer cookies to the site that the user never requested? I hope Safari and every other blocks this too. – James A Mohler Dec 04 '12 at 01:26
  • 1
    @JamesMohler, I don't believe he's saying X.COM *sends* cookies to Y.COM, just that Y.COM requires cookies to function, and when loaded in an iframe it is unable to set them. – Nathan Stretch Feb 17 '13 at 23:04
  • 2
    This answer may be of help: http://stackoverflow.com/a/6139648/160565 – Nathan Stretch Feb 17 '13 at 23:13

1 Answers1

4

I experimented a similar problem. A web "parent" page open my "child" website in a jquery fancybox i-frame cross-domain. Not problem at all with Explorer, Chrome, Firefox, Opera and even with Safari (5.8.1) on MAC. But with iPhone, iPad and mini iPad, the session in the i-frame is lost.

That's mean that at every click on an element in the i-frame (web site is in aspx) a new session started.

We solve the problem in a very simple way:

when the parent website start, it call a page in the child site directly (not in an i-frame). In this page I just set a session variable and I redirect to the parent website. Now when the child website is open in an iframe, the session is kept.

Alberto
  • 199
  • 2
  • 17
  • 2
    Works like a charm. I rendered a link in my iframed page, like ``. Then immediately click it with JS: `$('a')[0].click()`. Then the route on my server `/path/to/redirect_with_session` simply sets a session flag `session['_ready'] = true`, then redirects back to `params[:to]`. Then I can decide whether to perform this redirect flow only if it's safari and the session hasn't already been initialized. – colllin Oct 18 '13 at 06:57