Of Stack

Solution to the problem of iframe cross domain and session failure

  • 2020-11-20 06:03:32
  • OfStack

What is cross-domain session/cookie?

So it's going to be session over cookie on the third side. Party 1 session/cookie refers to seesion /cookie, which is set to the visitor's browser by the website that the visitor is currently visiting, and is stored on the visitor's computer. Third party session/cookie refers to the fact that the currently visited website will load (embed) other third party website code, such as promotional ads, then third party website will also add session/cookie to the visitor's computer, this is third party session/cookie.

My question

In the development of online information products (http: / / iap. pgia. net) test various browser compatibility, found IE browser (v7\8) cannot login (always prompt verification code mismatch errors), and other browsers do not have this problem (firefox, baidu, etc.). Therefore, it can be concluded that this has something to do with the browser.

Preliminary analysis:

A closer inspection revealed that when accessed using the IE browser (v7\8), the server-side logs showed that sessionId1 was changing and a brand new sessionId was generated with each request.

Obviously, this is the only direct reason why you cannot log in. If you resolve this problem, you can log in normally.

In-depth analysis:

Why did this happen in IE browser (v7\8)? Baidu learned that:

For the sake of privacy security, IE will lose Cookie in Iframe, P3P(Platform for Preferences Project (P3P) protocol supported by IE6/IE7 by default prevents cookie, Firefox and Chrome of the third party without privacy security statement from having this problem.

We know that Session is actually based on Cookie. When the client establishes a session with the server for the first time, it will assign a random sessionId to the client and store it in the client cookie. Then, it will take the Cookie in subsequent requests. If no such Cookie is found in the client, the server will reassigned one.

This is exactly the structure of my application, which is implemented by a built-in iframe embedded in a remote application.

Solutions:

The solution is to add the "P3P" protocol to the request. So how do you do that?

Add the following code to the frame page: 


<%    
//  To solve IE7\8 Cross-domain access issues    
response.setHeader("P3P","CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"");   
%>

So far, the problem has been solved

Related articles: