问题
I have a php system that works fine stand-alone but not when embedded in an iframe.
It's embedded in a page on another domain.. and consists of:
main.php graps a parameter off iframe-URL, look up in MySQL, sets a session variable and draws a grid.
Then, using ajax, tries to get data to display in the grid.
- but the ajax.php doesn't have the same session_id() ?!?
AND in subsequent ajax-calls for data (to update the grid) the session_id() keeps changing!
To recap: ALL my PHP is inside the SAME iframe - no XS trouble..?
There IS a session_start() in all the right places (it works stand-alone).
The session_save_path() is the same in main.php and ajax.php (and they're in the same dir)
I've seen and tried different versions of header('P3P: CP="CAO PSA OUR"') - fruitlessly : (
Found it: My browser didn't allow Third Party Cookies - including the session-cookie!
But isn't this wrong - no cookies are being shared across domains (it stays inside the iframe) ?
- still.. it IS another domain than the one the user asked for in the URL... hmm... shit.
回答1:
As mentioned, the problem was the browser blocking (not allowing) Third Party Cookies.
(That is, ignoring cookies not issued from the server behind the main (visible) URL)
There exists a way to circumvent this security-feature: google "P3P"
- but that's not reliable across browsers (Chrome).
My solution is to keep the session_id in javascript, and append it as an extra parameter in all ajax-calls,
enabling me to pick the relevant session in ajax.php: session_id( $_POST['sessID'] ); session_start( );
This solution does make it somewhat easier for a malicious user to dick around with the session_id.
- since it's now available (for modification) using javascript alone (easier than modifying a cookie)...
I would like to hear peoples thoughts about this "increased vulnerability" ?
来源:https://stackoverflow.com/questions/22126788/persistent-session-id-inside-an-iframe