JSF 2.0 ViewExpiredException on Glassfish 3.1 when using iframe in Safari

Question

I have a JSF 2.0 web application running on glassfish 3.1 that is working fine on IE, FF, Safari and Chrome.

When I added the url of my website inside a iframe of an

Answer 1

This is indeed a known problem. Safari does not allow crossdomain cookies. Any cookies delivered by an iframe will just be ignored by this browser. The HTTP session is backed by a cookie. So it won't be maintained as well. Thus, when you submit a JSF form inside an iframe, then Safari won't send the session cookie back and the server side will implicitly create a new session and thus the view which was set in the initial session is completely lost. Hence the ViewExpiredException.

In theory, this can be solved to include the JSESSIONID fragment in the action URL of the JSF-generated HTML

element. E.g.

However, JSF already does that. It uses under the covers HttpServletResponse#encodeURL() for that. That it didn't work for you on JSF 2 while it apparently worked on JSF 1.2 is for me a mystery. But you have now at least something to concentrate on. Did HttpServletResponse#encodeURL() return the properly encoded URL with JSESSIONID inside? Does the generated HTML include the JSESSIONID? Etc. When using Mojarra, start with FormRenderer#getActionStr() method while debugging.

Anyway, another solution is to use JavaScript for this. Do something like the following during onload of the JSF page which is to be displayed inside an iframe. The following script kickoff example should be embedded inside the JSF page so that #{} will be evaluated.

window.onload = function() {
    if (top != self) { // If true, then page is been requested inside an iframe.
        var jsessionid = '#{session.id}';
        var forms = document.forms;

        for (var i = 0; i < forms.length; i++) {
            forms[i].action += ';JSESSIONID=' + jsessionid;
        }
    }
}

This should not harm browsers other than Safari.