JSF 2.0 ViewExpiredException on Glassfish 3.1 when using iframe in Safari

Question

I have a JSF 2.0 web application running on glassfish 3.1 that is working fine on IE, FF, Safari and Chrome.

When I added the url of my website inside a iframe of an

Answer 1

This is indeed a known problem. Safari does not allow crossdomain cookies. Any cookies delivered by an iframe will just be ignored by this browser. The HTTP session is backed by a cookie. So it won't be maintained as well. Thus, when you submit a JSF form inside an iframe, then Safari won't send the session cookie back and the server side will implicitly create a new session and thus the view which was set in the initial session is completely lost. Hence the ViewExpiredException.

In theory, this can be solved to include the JSESSIONID fragment in the action URL of the JSF-generated HTML <form> element. E.g.

<form action="/context/page.xhtml;JSESSIONID=1234567890ABCDEF">

However, JSF already does that. It uses under the covers HttpServletResponse#encodeURL() for that. That it didn't work for you on JSF 2 while it apparently worked on JSF 1.2 is for me a mystery. But you have now at least something to concentrate on. Did HttpServletResponse#encodeURL() return the properly encoded URL with JSESSIONID inside? Does the generated HTML <form> include the JSESSIONID? Etc. When using Mojarra, start with FormRenderer#getActionStr() method while debugging.

Anyway, another solution is to use JavaScript for this. Do something like the following during onload of the JSF page which is to be displayed inside an iframe. The following script kickoff example should be embedded inside the JSF page so that #{} will be evaluated.

window.onload = function() {
    if (top != self) { // If true, then page is been requested inside an iframe.
        var jsessionid = '#{session.id}';
        var forms = document.forms;

        for (var i = 0; i < forms.length; i++) {
            forms[i].action += ';JSESSIONID=' + jsessionid;
        }
    }
}

This should not harm browsers other than Safari.

Answer 2

I experienced the same issue for IE and Safari. This is because third party cookies are not allowed by default in those browsers. Thus session id could not be passed via cookie.

To fix it in IE is enough to add response header P3P with value CP="This site does not have a p3p policy.":

ExternalContext extContext = FacesContext.getCurrentInstance().getExternalContext();
extContext.addResponseHeader("P3P", "CP=\"This site does not have a p3p policy.\"");

To fix it in Safari is enough to transfer session id in url but not in cookie. This is known as url rewriting. For application server supporting Servlet 3.0 it could be done using web.xml :

<session-config>
    <tracking-mode>URL</tracking-mode> 
</session-config>