Reputation: 2799
Page within iframe not seeing its own cookies
We have 2 websites on separate domains. For simplicity, let's say they are:
- "App": an SPA application running on
main-app.com/app - "Host": a simple index.html page running on
random-site.com/index.html. The index.html page contains only an iframe which displays the App (points tomain-app.com/app).
When I, as a user, go to the App (main-app.com/app) and log in there, it sets a session cookie in my browser which identifies the session. However, when I go to the Host page (random-site.com/index.html) and it loads the App's iframe, the session cookie is not being sent. It is simply omitted when I look at it in the network inspector.
Why would this be happening? What is preventing the cookie from being sent, and how can we fix this?
(We have control over both sites)
Upvotes: 6
Views: 13496
Answers (1)
Reputation: 295
Are you using Google Chrome? In Google Chrome, the default attribute for cookies has been changed to samesite=lax. samesite=lax cookies are not sent in iframes. The purpose of this change is to mitigate attacks such as CSRF. If you use Firefox, you should still be logged in on the page in the iframe.
Upvotes: 7
Related Questions
- Why are iframe requests not sending cookies?
- iframe can't read nor set cookies
- Safari iframe cookie issues
- Accessing cookies of an iFrame in parent window
- Accessing Domain Cookies within an iFrame on Internet Explorer
- Google Chrome cross domain cookie issue with iframe
- Why is IE8 blocking cookies from within an iframe?
- Cookie issues with iframe
- iFrame cookie only being read after page refresh
- Iframe 3rd party cookie issue in internet explorer