tags:

views:

3732

answers:

1
+1  Q: 

Problem setting PHP SESSION variables within cross-domain iframe

Coles Notes version:

index.php?map_id=foo is loaded into iframe on www.not-my-domain.com. index sets SESSION['map_id'] = foo. Flash file tries to get SESSION['map_id'] thru Authenticate.php, but Authenticate.php has no values set for any SESSION varaibles.

-- Only first-load, cross domain issue.

Verbose:

I have an index while where I set: SESSION['map_id'] = foo

The index file then loads a flash file. When initialized, the flash accesses an 'Authenticate.php' file which echo's out the SESSION['map_id'] and is loaded into flash via LoadVars. Flash then displays the appropriate data. This step cannot be done another way

This all works just fine on our main site. The issue comes when we try to port out to other sites by providing iframe embed codes:

<iframe src="http://www.mydomain.com/?map_id=foo&amp;code=bar" ... ></iframe>

On a fresh load of the embed code from another site (www.anotherdomain.com), it seems that the SESSION variables have been destroyed, as flash simply says they are empty. ( $map_id outputs a blank )

The index file will still properly echo $map_id as 'foo', it just seems the 'Authenticate.php' file cannot access the SESSION varaibles.

I have ensured session_start() is present in all appropriate files.

+1  A: 

PHP session ids are passed through cookies by default, but you can't transfer cookies across domains. Try passing the session id through the url instead.

Here is the appropriate page in the php documentation.

There are a few ways you can get php to pass the session id in the url if it's not being done automatically.

  1. You can manually pass the session id in the url (must come before other get variables):

    <iframe src="http://www.mydomain.com/?&amp;map_id=foo&amp;code=bar">

  2. You can disable cookies, forcing every request to have the session id automatically added to the url:

    ini_set("session.use_cookies","0");

  3. You can edit the url_rewriter.tags setting, which tells PHP which html tags to rewrite with the session id. Here, iframe=src has been added to the default set:

    ini_set("url_rewriter.tags", "a=href,area=href,frame=src,iframe=src,input=src,form=fakeentry");

vamin  2009-04-30 02:50:59
So, because the session id isn't passed the first time thru via cookies, the session variables don't know which session they belong to?If I pass the session id thru the URL, I could then tell the session it's id?
shudson250  2009-04-30 18:24:36
That's the gist of it. I've updated my response to be a little more clear about how to do that.
vamin  2009-04-30 20:23:02
That's a fairly sensitive solution because we're opening this up to the public. It will likely be inserted on someones page with a blogspot type editor. Is there anyway this can be done just with our pages?
shudson250  2009-05-01 18:35:16
I'm not sure. PHP automatically appends the session id to the url if the client has cookies disabled. Perhaps you could try forcing the this behavior from your end by setting ini_set("session.use_cookies","0"); on your end. I'm not certain this will work, but if it does please post back and I'll edit my answer to include this solution.
vamin  2009-05-01 19:05:49

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases