Reputation: 1057
App sends another session cookie when embedded in an iframe
I'm currently developping an embedded Shopify app, which is basically an app loaded in an iframe on the Shopify admin interface. It uses a session cookie to store an access token to the Shopify API.
The problem is, my app's backend receive a different session cookie depending on wether the app is loaded inside the Shopify iframe or not.
The domain is the same for both cookies and SameSite=none.
Looks like the browser is sandboxing the cookies of the same domain if they're set from an iframe. Is that the case?
Upvotes: 0
Views: 805
Answers (1)
Reputation: 8546
It can be 3 issues:
Sometimes you can have a few different cookies with the same name. Browser send all of them, but on the server side commonly associative array is used (like
$_COOKIEin PHP). Therefore last cookie overrides all previous with the same name. It can so happens that iframe gets not the same cookie as a main page. With Apache server you can access all same name cookies viaapache_request_headers()func. RTFM for workaround for other servers.Check the SameSite attribute ob cookie - do you use
SameSite=Lax/SameSite=Strictattribute or without such attribute.
Note thatSameSite=NonerequiresSecureattribute in the modern browsers, therefore works overhttps:only.The "same domain" is a wrong term, browsers operate the "same origin" term:
"origin" is a tuple of
sheme://+hostname+port-number.
Therefore all 3 parts should match, not domain name only.
Upvotes: 1
Related Questions
- Page within iframe not seeing its own cookies
- Why are iframe requests not sending cookies?
- IE 11 first-party session cookies being lost in iframe
- How to set a cookie for iframe on the same domain
- Google Chrome cross domain cookie issue with iframe
- ASP.NET session randomly reused when using iframe
- Cookie issues with iframe
- Cross-domain cookies in iframe Safari
- 3rd party app in an iFrame must keep header/top frame session alive
- X-Domain Cookies in iFrames