0

So I have an iframed page of my subdomain in my main domain, and this subdomain page requires user to be logged in and have a membership to be accessed.

Basically I need that the session variables and cookie are passed to the subdomain in order for the iframe to load.

How can I achieve this in Nginx ?

Rdang
  • 131
  • 2
  • 3
  • 14

1 Answers1

1

Cookies have a domain attribute, which specifies which domains they will be sent to from the client. For example, in PHP's setcookie function the 5th argument accepts a $domain string to set in the cookie. By default it's left blank which means it will use the domain the request came from when the client receives it.

The domain that the cookie is available to. Setting the domain to 'www.example.com' will make the cookie available in the www subdomain and higher subdomains. Cookies available to a lower domain, such as 'example.com' will be available to higher subdomains, such as 'www.example.com'. Older browsers still implementing the deprecated » RFC 2109 may require a leading . to match all subdomains.

So if you set your cookie to your main domain the client UA won't have a problem making it available to your sub domain.

Now, iframes are little trickier, however. For example, Internet Explorer can treat iframes differently due its varying privacy policy rules and block all cookies from an iframe. See this question for more details. However, Nginx really shouldn't play anything more than a passive role in all of this.

Community
  • 1
  • 1
Sherif
  • 11,786
  • 3
  • 32
  • 57
  • Well, I don't set a cookie to any specific domain in this case so it's just setting it for domain.com. According to what you said, shouln't it automatically set it for the other subdomains as well then ? sub1.domain.com, sub2.domain,com etc ? The issue is not related to IE and I don't believe any of my target users even uses that joke of a browser to be honest. So basically I just need to make sure that the session cookie is passing to the iframed subdomain. I believe the iframe has no interference in this because if I visit the iframed page directly it doesn't have a valid session. – Rdang Oct 23 '15 at 00:59
  • I should probably refer the subdomain is on a different ip – Rdang Oct 23 '15 at 01:00
  • IPs won't matter here. What you probably want to do first is inspect the cookie in your browser using something like Chrome or FireFox developer tools and look to see what domain is actually being set by the client UA rather than just make assumptions. – Sherif Oct 23 '15 at 01:04
  • Also "*it doesn't have a valid sessio*" is dubious. It could be that the process handling the request for the sub domain didn't accept the cookie or it could be that one was not sent by the UA at all. So it doesn't narrow down the problem. – Sherif Oct 23 '15 at 01:05
  • The cookie is set to main domain. However, when I try to access the subdomain it sets a new cookie for it, so there's cookies for domain.com and sub.domain.com. Valid session as using a cookie and being able to detect variables like logged in status and membership, since although im logged in main domain the subdomain and iframe always fail to tell so. – Rdang Oct 23 '15 at 01:19
  • Right, as outlines in the answer if you don't explicitly set the `$domain` in the cookie, the browser will default to the domain the request was sent to (in this case that gives you one for each subdomain). See [`session_set_cookie_params`](http://php.net/session-set-cookie-params) for more details on how to set the session cookie domain. – Sherif Oct 23 '15 at 02:38