0

I would like to allow the user to be "logged in" and maintain state / logged in status between pages within an iframe. The iframe content is ours, and will be hosted on various clients' websites.

Since the usual session cookie will most likely be blocked as a third party cookie I am trying to find a suitable way to do this.

I am considering always passing ?PHPSESSID=xin the query string for each relevant url as a workaround.

Is this considered bad practice and are there any risks involved?

Marc
  • 746
  • 1
  • 12
  • 28
  • I would say if you really want to pass it via the URL at least encrypt the value and decrypt it on the next page. – w3shivers Dec 01 '14 at 13:14
  • It's a good question, one that's been asked many times before. You might want to look into cross site scripting ... http://stackoverflow.com/a/14611577/864908 ... though other approaches are pretty cool also ... http://stackoverflow.com/questions/263010/whats-your-favorite-cross-domain-cookie-sharing-approach – designosis Dec 01 '14 at 13:15

0 Answers0