5

I have two domains in different servers. One page from the first server is having an iframe to point to the url in the other server. I can't manage to work with seesions.

iFrame page code(main.php):

<!DOCTYPE html>
<html>
<head>
    <base target="_parent">
</head>
<body>
    <iframe src="http://192.168.1.10/index.php"</iframe>
</body>
</html>

My iFrame page index.php has a simple log in system that start session. So, there is a button which load the following code(process.php):

<?php
session_start();
$_SESSION['valid'] = true;
$_SESSION['timeout'] = time();
header('location:catalogue.php');
?>

On my catalogue.php and on each page, i have the following session code(check.php):

<?php
session_start();
if (isset($_SERVER['HTTP_REFERER'])) {
    if ($_SERVER['HTTP_REFERER'] == "") {
        unset($_SESSION['valid']);
        unset($_SESSION['timeout']);
        header('location:index.php');
    }
} else {
    unset($_SESSION['valid']);
    unset($_SESSION['timeout']);
    header('location:index.php');
}
if (isset($_SESSION['valid'])) {
    $timeout = $_SESSION['timeout'];
    $time    = time();
    $t       = $time - $timeout;
    if ($t > 9000) { //15*60 = 900 Second, timeout to logout
        unset($_SESSION['valid']);
        unset($_SESSION['timeout']);
        header('location:index.php');
    } else {
        $_SESSION['timeout'] = time();
    }
} else {
    header('location:index.php');
}
?>

So i have the following:

           Button press                                On load it check session                 
             to log in                                 using check.php
index.php ==============> process.php ===============> catalogue.php

I am using iframe in order to hide the real url of my web app and more user friendly domain name.

My problems:

  • is that every time i press the button in index.php to log in it redirect me to index.php and not to catalogue.php.
  • can i hide/mask url in iframe from bots/spiders.
  • any suggestion/idea for better setup is welcome.

** Update ** After some tests, i think the session is not starting(check.php). It is going to else at the bottom. I have public server and local server.

The main.php doesn't have any session code. Only the pages in the iframe have. The index.php doesn't have. If user press to log in to load the process.php(which start session) and redirect to catalogue.php. Catalogue.php and all pages of my app, have a code(check.php) for checking session.

YvetteLee
  • 1,057
  • 3
  • 13
  • 27
  • 1
    1you are not using html 5 doctype .2frames are obsolete in new browsers3if you using Windows by default the firewall is turn on and a unsecure http will fire different in these years to ips 192.168.1.10 ,or public domains 4even all this stuff could BY MISTAKE work you still check on target if accept in headers any frame include (and this will be security a new issue -low level one-if works) . So welcome in 2021 ;) –  Jan 07 '21 at 19:28
  • still me! more advices ... do not use $_SERVER['HTTP_REFERER'] cause can be replicated by attackers. in case you use it anyway implement a random system ,a random learning one maybe to trigger security alerts when is expecting to use or not use that $_SERVER['HTTP_REFERER'] and checking the traces to detect some attackers(persons or programs,eg scanners) –  Jan 07 '21 at 19:33
  • @Constantin Thank you for your mesage and welcome to '21. I am using index.php, it was typo and corrected. I am pointing a public domain to loacl ip.Local server is a LAMP set up. Same set up but storing iframe.php to same server works. When moving iframe.php to public server it is not. – YvetteLee Jan 08 '21 at 05:50
  • Does the session work properly, if you call index.php directly in your browser? – René Pöpperl Jan 08 '21 at 13:12
  • @RenéPöpperl Yes, If i call `http://192.168.1.10/index.php` it is working fine. Of course, i am testing it in my local network. I am trying to use a domain to hide local url from the users. – YvetteLee Jan 08 '21 at 13:24
  • I think the issue here is your iframe. https://stackoverflow.com/questions/8957769/php-session-iframe Check this answer for a possible explanation. – Daniel Kanis Jan 08 '21 at 20:53

1 Answers1

1

I think your session is being blocked by SameSite by default cookies.

Treat cookies that don't specify a SameSite attribute as if they were SameSite=Lax. Sites must specify SameSite=None in order to enable third-party usage. – Mac, Windows, Linux, Chrome OS, Android

Try this to check my theory.

  1. Go to chrome://flags/ thru your address bar
  2. Find SameSite by default cookies
  3. Disable the SameSite by default cookies flag
LIGHT
  • 5,604
  • 10
  • 35
  • 78
  • I tested and i am getting error. I can't even load basic auth of server. No even load page. My pages if there are in same server, is ok, if there are in different, session is not starting i think – YvetteLee Jan 13 '21 at 06:49