Test if page is in an iframe from within a PHP function

Question

How can I call a function to test if a user is in an iframe from within a PHP function? I understand that the only way to test this is in Javascript, and it doesn't seem to work when I try passing it as a JS function in PHP using echo '<script type="text/javascript"> ... </script>';

I want to add this to the function which checks if the user is authorized because I need to direct them to different login pages depending upon whether or not they're in an iframe. This function is in a separate file (because it is called on almost every page on the site) so I don't think that I can do it in straight JS.

JS function I'm trying to call

 var isInIFrame = (window.location != window.parent.location)

 function test_iframe() {
 if (isInIFrame === "true") {
 window.location.href = "sign_in_iframe.html";
 }
 else {     
 window.location.href = "sign_in.html";
 }

PHP function

function is_user_logged(){
    if ( session_id() == ''){
        session_start();
    }
    if(!isset($_SESSION['SESS_USER_ID']) ) {
    $logged = "false";
    header("location: sign_in.html");
    exit();
    } else {
    $logged = "true";
    return $logged;
    }           
}

I'm not sure what you're asking. You cannot figure out whether "you're in a frame" via PHP, because PHP has nothing to do with frames. Frames are a client-side thing and so only client-side technology can figure that out. — deceze, Apr 18 '13 at 04:51
@deceze Is there another way to approach this so that I can redirect users to the appropriate page? — Chaya Cooper, Apr 18 '13 at 04:53
I'd first like to question what an iframe has to do with authorization to begin with. — deceze, Apr 18 '13 at 04:54
@deceze - If they're not signed in they need to be redirected to the sign_in page, and there are different ones depending upon whether or not they're in an iframe — Chaya Cooper, Apr 18 '13 at 04:59

score 2 · Answer 1 · edited May 23 '17 at 12:18

2

isInIFrame === "true" is your problem. === is a strict comparison, so true !== "true", as one is a boolean while the other is a string.

I'd just get rid of it or use if (isInIFrame):

function test_iframe() {
    if (window.location != window.parent.location) {
       window.location.href = "sign_in_iframe.html";
    } else {
       window.location.href = "sign_in.html";
    }
}

Also, take a look at this question for a more reliable approach to frame detection: How to identify if a webpage is being loaded inside an iframe or directly into the browser window?

edited May 23 '17 at 12:18

Community

1
1

answered Apr 18 '13 at 04:51

Blender

289,723
53
439
496

Good catch. @Chaya You need to stop using booleans as strings. It's `true`, not `"true"`. Both in PHP and Javascript. – deceze Apr 18 '13 at 04:53
@Blender - Testing it now :-) – Chaya Cooper Apr 18 '13 at 04:57
I'm not having any luck using the function you posted with ''; Is there something else that I should do? – Chaya Cooper Apr 18 '13 at 05:03
@ChayaCooper: Do you call the function somehow? Why do you need to echo it out with PHP in the first place? – Blender Apr 18 '13 at 05:03
Duh :-( What would be the appropriate way to call the function within the PHP? – Chaya Cooper Apr 18 '13 at 05:06
@ChayaCooper: PHP runs on your server. JavaScript runs in the user's browser. You have to call it by running `test_iframe();` in the browser. – Blender Apr 18 '13 at 05:08
The reason I'm trying to call it from the PHP is because that's how I'm checking if they're logged in, and if not they need to be redirected. – Chaya Cooper Apr 18 '13 at 05:08
So there's no way to do this? – Chaya Cooper Apr 18 '13 at 05:09
@ChayaCooper: Not with PHP, no. Why is the `` so crucial? – Blender Apr 18 '13 at 05:10
Because the login page needs to be slightly different if it's not in an iframe (different functions, etc.) – Chaya Cooper Apr 18 '13 at 05:11
I guess I can add a function to one of the sign in pages that would redirect them to the other page if they're not in an iframe – Chaya Cooper Apr 18 '13 at 05:12
@ChayaCooper: So why is it in an ``? Why don't you make a separate login page? – Blender Apr 18 '13 at 05:12
@deceze but TRUE isn't "true" in PHP. Both `FALSE` and `TRUE` are **constants** in PHP. `defined('TRUE')` <- returns true – Yang Apr 18 '13 at 05:13
@ChayaCooper since HTML5 frames are deprecated. You'd avoid them. as Blender mentioned – Yang Apr 18 '13 at 05:14
@metal_fan: `` are still in HTML5 and won't be leaving any time soon. Using them for displaying login screens, however, is a different matter. – Blender Apr 18 '13 at 05:15
@Blender http://programmers.stackexchange.com/questions/144515/why-were-frames-deprecated-in-html5-but-not-iframes – Yang Apr 18 '13 at 05:17
2

@ChayaCooper: The `` is your problem. Get rid of it. This most likely isn't the proper use case for it. – Blender Apr 18 '13 at 05:18
@metal Yes...?! Don't tell me, that's what I'm trying to convey too. – deceze Apr 18 '13 at 05:18
I want the login page to be in an iframe :-) The issue is that depending upon which page they tried visiting, they may already be in an iframe. Also, users should be directed from an iframe in index.php, and the page needs to be refreshed once they've logged in, but if they tried typing in a page's full url then they won't be an iframe and they need to be redirected. – Chaya Cooper Apr 18 '13 at 05:19
Why, what's wrong with using iframes for login? I got the impression from all the login tutorials that I've seen that it was ok – Chaya Cooper Apr 18 '13 at 05:21
@ChayaCooper: Which tutorials are those? You're backing yourself into a corner with these ``s. If you're writing the entire site, adding iframes to display login stuff is just needlessly complicated and is doing more harm than good. I have yet to see any scenario where this is a good idea. – Blender Apr 18 '13 at 05:22
What approach would you suggest? Are dialogs/modals better? I was just using iframes because a few things weren't working with jquery modals so I had to switch to fancybox. This project will be added into retailers sites, and needs to have the general affect of an iframe or modal, but I can take whatever approach makes the most sense – Chaya Cooper Apr 18 '13 at 05:25
@ChayaCooper: Ohh, I see what you're trying to do. Take a look at how [Twitter](https://twitter.com/twitter) does it. Usually websites display simple and compact login boxes or dropdowns when you're not on the dedicated login page. You'd be much better off just doing that. – Blender Apr 18 '13 at 05:28
Any idea how I would do that? My sign in page is http://www.click2fit.com/sign_in.html - it works perfectly if the user is on index.php, but otherwise it isn't redirecting them – Chaya Cooper Apr 18 '13 at 05:32
@ChayaCooper: Your sign in page shouldn't be a modal dialog. Just make it a standalone page. In the header of your website, you can make a simple `
` that just submits to your `login.php` file and redirects the user back to the page that they came from.
– Blender Apr 18 '13 at 05:35
Unfortunately I need to keep the retailer's web site visible in the background, so I'm assuming that means that I need to use some form of a modal or iframe. – Chaya Cooper Apr 18 '13 at 05:42
@ChayaCooper: What exactly are you making? – Blender Apr 18 '13 at 05:44
I'm developing a tool for retailers to recommend clothing matching a customer's profile, and it will be integrated into the retailers site. I'm working on the prototype now, which is obviously standalone, but I need it to reflect what the user's experience would be like on a retailer's site – Chaya Cooper Apr 18 '13 at 05:47
@ChayaCooper: How is it integrated? – Blender Apr 18 '13 at 05:48
How much detail do you want ;-) – Chaya Cooper Apr 18 '13 at 05:49
@ChayaCooper: My point is that you have to rethink your design. Authentication via iframe won't work too well. Do some research: http://www.sitepen.com/blog/2008/07/30/protected-cross-domain-authentication-with-javascript/ – Blender Apr 18 '13 at 05:54
On the front-end, anything having to do with the user's profile is accessed with a link (that's where the iframes come), and the recommendations, etc. are mostly integrated directly into the retailers page. On the back-end it actually uses the retailers inventory systems, etc. – Chaya Cooper Apr 18 '13 at 05:55
@ChayaCooper: You could do that with cross-domain AJAX requests. – Blender Apr 18 '13 at 05:55
@ChayaCooper: Research it or find someone else to write this for you. – Blender Apr 18 '13 at 05:57
I will :-) But just to understand the gist of what you're saying - is the issue the authentication within an iframe? Also is it specific to javascript (since almost all my pages are in iframes but they're in PHP)? – Chaya Cooper Apr 18 '13 at 06:01

Test if page is in an iframe from within a PHP function

1 Answers1