3rdParty cookies issue when using crossdomain ajax

Question

I have a jquery widget that get data from a server in another domain (using JsonNp). The server return data from session. My issue happens in Safari (other browsers works). When I do a request to the server it returns data for new session each time. This happens because Session Id is stored in a cookie (but safari doesn't allow to save 3rd party crossdomain cookies by default).

I tried changing session State from Cookieless to AutoDetected, but the Session doesn't work with Safari.

Also I tried the following hack, but it doesn't work for me for some reasons:

$(function(){
    $('body').append('<iframe id="cookiesHackFrame" name="cookiesHackFrame" src="http://mysite.com/" style="display:none;"></iframe>');
    $('body').append('<form id="cookiesHackForm" action="http://mysite.com/" method="post" target="cookiesHackFrame" >');
    $('#cookiesHackForm').submit();
});

hope my description of this issue was clear... – Yaroslav Bigus Mar 24 '12 at 09:16 — Yaroslav Bigus, Mar 24 '12 at 09:16

score 3 · Accepted Answer · answered Mar 26 '12 at 22:03

3

Well...Since Safary block the 3rd party crossdomain cookie...there is no way to solve...any solution would be a "break" of the security strategy...that is not likely to occurr, There are just towo ways to solve: 1) changing the browsers settings....however this is something that the user can do...not the server, so one might alert the user to change the security settings once detected the problem.

2) the 3d party server send the information to put in the cookie to the main server that in turn issues the cookie. This way crossdomain is avoided. The two servers may communicate through a web service(not very efficient...but works).

answered Mar 26 '12 at 22:03

Francesco Abbruzzese

4,139
1
17
18

ermmm thats bad, this widget should be installed on any site, so I can't use secont way... What about use Cookieless=UseUri? I'll try to test again why it doesn't work and tell you result. Also If I open url in new tab it become works on all sites that use widget! So I hope some workaround should be... Anyway thanks – Yaroslav Bigus Mar 29 '12 at 17:16
1

mvc doesnt supportd session to be encoded in uri. However, since the widget stays always in the same page it can store a session id in a hidden field and send it to the server each time it updates. – Francesco Abbruzzese Mar 29 '12 at 20:23
1

Safari allows cookies if the user interacts with the content in the iframe. – Josh Mar 30 '12 at 13:29
yeah, but for some reasons it doesn't work for me when I do this in iframe(look my code on question) so I simply edirect entire page as you describe here (http://stackoverflow.com/questions/6125741/iframe-cross-domain-cookies-p3p-policy-and-safari-with-error-a-required-anti). I'd like to set this as answer – Yaroslav Bigus Mar 30 '12 at 14:33
Josh, I have the last day to award bounty for this question, so if you'' not add your answer I will give bounties to Francesco. Thanks :) – Yaroslav Bigus Apr 01 '12 at 08:44

score 1 · Answer 2 · answered Mar 27 '12 at 09:16

Slightly hard to understand your problem, but if you need to sent data from your cookie - just encode it into your request (POST/GET) to the other server. Could you not also pass the session ID as well?

Perhaps a little more code to show what you are trying to achieve?

3rdParty cookies issue when using crossdomain ajax

2 Answers2