1

I run a video application in which videos are embedded through an iframe. If a video is private, sign in is needed, and I currently redirect them to the sign-in page on my domain and then back to the video once complete.

I want users to be able to log in from an embedded iframe and to have their session remain active, without having to navigate to another page.

I have AJAX sign in working from the sign-in page on my domain. However, when try to do this from the iframe, authentication succeeds, but the session is not maintained and rails believes there is no current user upon reload.

My configuration allows iframes to be used anywhere:

config.action_dispatch.default_headers = {
    'X-Frame-Options' => 'ALLOWALL'
}

And I do not require an authenticity token for the sign in action.

How can I create and maintain a session from within an iframe?

Edit: The session saves in Firefox, but Chrome, Safari, and Brave don't maintain it. Not sure why this is.

Ladybro
  • 756
  • 2
  • 9
  • 30
  • https://stackoverflow.com/questions/45094712/iframe-not-reading-cookies-in-chrome – max Dec 16 '19 at 00:22
  • 2
    "The session saves in Firefox, but Chrome, Safari, and Brave don't maintain it. Not sure why this is.". Because iframes are a security nightmare and browsers have counter measures against clickjacking, tracking and other nefarious behaviour. – max Dec 16 '19 at 00:30
  • Thanks for the comment @max. Do you think this is unachievable in that case? – Ladybro Dec 16 '19 at 13:59
  • Hi, did you manage to figure this out, I'm facing the exact same issue, a vendor hosts features inside an iFrame and I can't get the session to be maintained. – Stewart McEwen Mar 12 '20 at 03:10
  • Unfortunately I did not @Stewart. – Ladybro Mar 13 '20 at 21:31
  • ah well, thanks for replying though mate! :thumbsup: – Stewart McEwen Apr 17 '20 at 07:15

1 Answers1

1

For Rails 4.2, I followed this comment: https://stackoverflow.com/a/60036434/4607290. Essentially you have to override the set_cookie_header! method by creating an initializer.

Then I had to modify my session_store so it set the SameSite cookie to None/Secure: https://www.skcript.com/svr/samesite-issue-with-rails-in-chrome/

# config/initializers/session_store.rb

Rails.application.config.session_store :cookie_store, {
  :key => '_application_session',
  :domain => :all,
  :same_site => :none,
  :secure => :true,
  :tld_length => 2
}

Hope that helps anyone who stumbled across this post like I did. NOTE: Changing these settings have security ramifications and should be done only if you know what you're doing.

MilesStanfield
  • 4,571
  • 1
  • 21
  • 32
spacemonkeys
  • 95
  • 1
  • 6