2

This seems to be a much discussed topic the last time. Unfortunately I haven't found something satisfying.

I have to Servers with different domains. Server A loads an application from Server B into an Iframe. The Application served by Server B needs Session cookies to work. With the next Firefox Version Firefox doesn't allow third party cookies by default. Which is probably a good thing, but in this case the cookies have nothing to do with collecting user data.

I've read a lot about P3P headers https protocols, and JS Safari tricks for this Problem, but nothing really usable for the coming Firefox Version. I now thinking about a simple Browser detection and an alert for Firefox Users to switch 3rd party cookies on. Not the most beautiful way.

Does anyone know about a workaround for this? I can control / change things on both servers.

Deduplicator
  • 44,692
  • 7
  • 66
  • 118
Anatol
  • 1,923
  • 6
  • 26
  • 55
  • i'm looking for a solution to this as well.. have you found anything? – Benson Wong Jun 01 '13 at 20:31
  • 1
    Hi Benson Wong, in my scenario I did the following: Server A shares the User SID (people have to login on Server A) via URL with Server B. On Server B I start the Session together with Session_ID(SID_FROM_SERVER_A). For security reasons Server A generates a key which is useable for ~1 minute to isolate the ability of URL stealing. To make a long story short I´m using cookieless sessions. There should be another way where you redirect the User to Server B, set the cookie and redirect back to Server A. In this case the cookie is not treated as 3rd party cookie. with kind regards, tbook – Anatol Jun 03 '13 at 06:47
  • Safari also blocks 3rd party cookies, check http://stackoverflow.com/a/12070926/1337431 and adapt it into your website :) You'll just need a couple of redirects and a few lines of code and you won't need to change anything on your code. – Diogo Raminhos Jul 03 '13 at 15:36
  • @tBook I wound up doing the same thing with a session token that is sent with the request. It sends it as either a GET parameter or part of the POST body. – Benson Wong Jul 03 '13 at 22:30
  • @tBook I wound up using cookieless sessions as well. – Benson Wong Sep 05 '13 at 18:47
  • Hi Benson, sorry I´ve been some time offline. Still need help with cookieless sessions? – Anatol Sep 19 '13 at 10:59

1 Answers1

0

If you are looking to do things right, you should be looking at a Central Authentication Service (CAS).

http://en.wikipedia.org/wiki/Central_Authentication_Service

We have been an open source implementation of CAS on a wide scale (10,000+ users, 200+ servers) with a lot of success:

http://www.jasig.org/cas

A CAS solution, I'm certain there are other good ones, will provide you with the enterprise level solution, allowing your user to login once and be authenticated on all your applications.

Give it a try.

Patrice Gagnon
  • 1,276
  • 14
  • 14