PHP on iframe cross domain under IE resulting in the loss of session problem Solution
- 2020-10-23 20:03:16
- OfStack
Today, a login page that has been embedded by other websites with iframe cannot be logged in (only in IE).
Obviously, session cannot be saved. But open the login page directly in the address bar, 1 slice is ok. That's strange.
I did 1 search on the Internet. It is found that this problem is actually mentioned by many people. The final solution is to add the following code to that login page:
Maybe this has something to do with the fact that my login page is location jump with javascript. But there was no in-depth test study.
Here's an expanded reading:
---------------------------------------------
Today, when I was dealing with the Tencent friend app, the test sent me a work order, saying that the app could not be used on IE7. A login timeout error has occurred.
The first reaction was that the session was missing.
So I searched the Internet for the missing problem of IE7 iframe session. Later I found the following article and solved the problem:
=============================================
Yesterday, the time diary I kept on campus finally went online. More than 80 users installed the app on the first day, but we received a lot of feedback from users that the app was not available. When I tested IE7, which I had previously developed on firefox (and presumably approved by campus staff using firefox), I found that none of the pages outside the home page opened properly.
A lot of research on the Internet found that there is a problem in IE7: If there are one or more sub-pages of iframe, the creation of session in the sub-page may not be successful, so that session data cannot be Shared with other pages. In the development of intramural, 51 applications, assuming the use of iframe, it is likely to encounter such problems. And the problem only exists in IE7, which I tested with firefox, IE6 and chrome.
The solution: Before running session_start, add the following sentence (in the case of THE php language) to the program, which basically declares the security level under 1 to the browser, so that iframe subpages create session without problems:
header('P3P: CP= "ALL ADM DEV COM OTRo OTRo IND ONL");
In addition, I learned that if a level 2 domain contains an underscore, such as ES72en_domain.yourhost.com, there may also be problems with setting up and delivering session.
1 Reflections:
1) After many years, browser compatibility issues have not been completely resolved, and the IE browser is still so painful and painful for developers.
2) Before releasing the application, 1 must undergo rigorous browser compatibility testing, or risk losing the application's first batch of users.
==============================================
Other reference articles:
==============================================
Fixed an issue in iframe where jsessionid failed to deliver causing the loss of session
http://618119.com/archives/2007/12/19/48.html
The implementation of es101EN2.1.1 interface needs to use sso, and the interface defined in ISMP needs to call sso interface in embedded pages such as iframe, and it is found in the actual development that session cannot be delivered normally.
The scenario to recreate the problem is:
1. The first visit a site: http:. / / 192.168.18.2 test jsp
The code of test.jsp is as follows:
sso.jsp reads the ssoinfo passed, and calls the ISMP authentication interface in reverse.
Generate session, then put in the specified property values,
session. setAttribute (" "lizongbo ssoUser", ");
Page to redirect to http: / / 192.168.18.3 iframe jsp
response. sendRedirect (". / iframe jsp ");
iframe. jsp read the ssoUser attribute value in session and you will find that it cannot be read.
2. If you first visit the page of 192.168.18.3 and then visit the page of 192.168.18.2, then the iframe embed can pass the generated jsessionid Cookie.
So the solutions are:
a. Add jsessionid to url.
For example, redirect to ES164en.sendRedirect ("/iframe.jsp; jsessionid = lizongbo ");
In this case, if url does not add jsessionid to the other links in the ES171en.jsp page,
It is also not possible to continue passing session, but overrides the href attribute for each hyperconnection by adding jsessionid via js on the client side.
b.sso.jsp sets the P3P header
For example, P3P: CP= "CURa ADMa DEVa PSDo OUR BUS PUR INT DEM COM DSP DSP DSP DSP COR"
Or P3P: CP = "CAO PSA OUR"
java code:
response. addHeader (" P3P ", "/" CAO PSA OUR/" ");
Obviously, session cannot be saved. But open the login page directly in the address bar, 1 slice is ok. That's strange.
I did 1 search on the Internet. It is found that this problem is actually mentioned by many people. The final solution is to add the following code to that login page:
<span style="font-family:Microsoft YaHei; font-size:14px">header('P3P: CP="ALL ADM DEV PSAi COM OUR OTRo STP IND ONL"');
session_start();</span>
Maybe this has something to do with the fact that my login page is location jump with javascript. But there was no in-depth test study.
Here's an expanded reading:
---------------------------------------------
Today, when I was dealing with the Tencent friend app, the test sent me a work order, saying that the app could not be used on IE7. A login timeout error has occurred.
The first reaction was that the session was missing.
So I searched the Internet for the missing problem of IE7 iframe session. Later I found the following article and solved the problem:
=============================================
Yesterday, the time diary I kept on campus finally went online. More than 80 users installed the app on the first day, but we received a lot of feedback from users that the app was not available. When I tested IE7, which I had previously developed on firefox (and presumably approved by campus staff using firefox), I found that none of the pages outside the home page opened properly.
A lot of research on the Internet found that there is a problem in IE7: If there are one or more sub-pages of iframe, the creation of session in the sub-page may not be successful, so that session data cannot be Shared with other pages. In the development of intramural, 51 applications, assuming the use of iframe, it is likely to encounter such problems. And the problem only exists in IE7, which I tested with firefox, IE6 and chrome.
The solution: Before running session_start, add the following sentence (in the case of THE php language) to the program, which basically declares the security level under 1 to the browser, so that iframe subpages create session without problems:
header('P3P: CP= "ALL ADM DEV COM OTRo OTRo IND ONL");
In addition, I learned that if a level 2 domain contains an underscore, such as ES72en_domain.yourhost.com, there may also be problems with setting up and delivering session.
1 Reflections:
1) After many years, browser compatibility issues have not been completely resolved, and the IE browser is still so painful and painful for developers.
2) Before releasing the application, 1 must undergo rigorous browser compatibility testing, or risk losing the application's first batch of users.
==============================================
Other reference articles:
==============================================
Fixed an issue in iframe where jsessionid failed to deliver causing the loss of session
http://618119.com/archives/2007/12/19/48.html
The implementation of es101EN2.1.1 interface needs to use sso, and the interface defined in ISMP needs to call sso interface in embedded pages such as iframe, and it is found in the actual development that session cannot be delivered normally.
The scenario to recreate the problem is:
1. The first visit a site: http:. / / 192.168.18.2 test jsp
The code of test.jsp is as follows:
<html>
<head>
<title> 618119.com </title>
</head>
<body>
<iframe src= " http://192.168.18.3/sso.jsp?ssoinfo=xxxx " >
</iframe>
</body>
</html>
sso.jsp reads the ssoinfo passed, and calls the ISMP authentication interface in reverse.
Generate session, then put in the specified property values,
session. setAttribute (" "lizongbo ssoUser", ");
Page to redirect to http: / / 192.168.18.3 iframe jsp
response. sendRedirect (". / iframe jsp ");
iframe. jsp read the ssoUser attribute value in session and you will find that it cannot be read.
2. If you first visit the page of 192.168.18.3 and then visit the page of 192.168.18.2, then the iframe embed can pass the generated jsessionid Cookie.
So the solutions are:
a. Add jsessionid to url.
For example, redirect to ES164en.sendRedirect ("/iframe.jsp; jsessionid = lizongbo ");
In this case, if url does not add jsessionid to the other links in the ES171en.jsp page,
It is also not possible to continue passing session, but overrides the href attribute for each hyperconnection by adding jsessionid via js on the client side.
b.sso.jsp sets the P3P header
For example, P3P: CP= "CURa ADMa DEVa PSDo OUR BUS PUR INT DEM COM DSP DSP DSP DSP COR"
Or P3P: CP = "CAO PSA OUR"
java code:
response. addHeader (" P3P ", "/" CAO PSA OUR/" ");