How can I persist a session in an iframe?

Question

Suppose I have a web app that I want to embed into any other site using an iframe. The iframe references my site and operates independently of the hosting web page.

Well, the browser considers the iframe to be a third party site, therefore its session cookie is considered a third party cookie. Some methods exist to make the browsers happy (e.g. P3P header), but it's still possible the user would have third party cookies disabled entirely. If so, then session cookies can't persist in an iframe.

What are good methods for persisting a session in an iframe on a third party site?

Answer 1

Hi Spoulson,

I have faced a similar problem you have here. There is a workaround (Will not work if your intention is to track user behavior across sites).

i. Place a first party persistent cookie on the domain where your iframe is to be hosted. (This can be done using JavaScript).

ii. Dynamically inject the iframe and pass across the value of the cookie to your site.

iii. If you intent to track user behavior across sites, modify the above code so that you use third party cookies when the browser allows, else switch you use the above approach.

I haven't come across any other way to work around this. If you find a more acceptable solution do let me know.

Thanks, Ramjee

Answer 2

My intent is to track a session within the iframe, so that clicks and reloads maintain state. It's not necessary to link sessions between the iframe and the hosting site.

The best I could come up with is cookie-less sessions. It's a bit manual, but with this site running PHP, I just need to ensure the querystring always contains "PHPSESSID=x" and it'll automatically attach to that session id.