Session from iframe to ajax

Question

How come when I create a session from an iframe within a domain and then try access the session from another iframe it works fine but when I try access the session through ajax it does not work?

Example:

Website (iframe.php):

<?php 
header("Access-Control-Allow-Origin: *");
session_start();
if(isset($_POST['session'])){
    $_SESSION['session'] = $_POST['session'];
    echo "created session";
}else if(isset($_GET['want'])){
    //for ajax request
    die($_SESSION['session']);
}
?>
<form action="iframe.php" method="post">
SESSION VAL:<input name="session" value="<?php echo $_SESSION['session']?>" type="text"/><br>
<input type="submit"/>
</form>

HTML

<iframe src="iframe.php">

</iframe>
<br>SESSION FROM AJAX:
<div id="AJAX"></div>

AJAX

window.setInterval(function(){
    $.get( "iframe.php?want", function( data ) {
        $( "#AJAX" ).html( data );
    });
},1000);

See Fiddle

Try starting the session before outputting headers. – Matt Feb 21 '16 at 00:08 — Matt, Feb 21 '16 at 00:08

score 3 · Accepted Answer · edited May 23 '17 at 10:28

3

Look up about how to do CORS. Shortly, to make browser send session with ajax you have to add some fields to your xhr:

$.ajax({
  url : "https://crypter.co.uk/iframe.php?want",
  xhrFields : {
    withCredentials : true // <-- this
  },
  success : function( data ) {
    $( "#AJAX" ).html( data );
  }
});

And you'd have to allow such request serverside, see this answer.

edited May 23 '17 at 10:28

Community

1
1

answered Feb 21 '16 at 00:21

Serge Seredenko

3,541
7
21
38

@Maximilian what do you mean? – Serge Seredenko Feb 21 '16 at 22:55
Well I created a session at Iframe.php when accessing it with Ajax and then on success created an Iframe with the domain but there is no session. – maxisme Feb 21 '16 at 23:07
@Maximilian I'd ask you to make a fiddle – Serge Seredenko Feb 21 '16 at 23:34