I posted this question on StackOverflow earlier today:
https://stackoverflow.com/questions/543 ... nt-conside
Is there any documentation from Mozilla or anyone else regarding sessions in iframes or what the definition of 3rd party cookies is? Basically, I have an embeddable iframe widget that can be used on any website. With the proper CORS headers set, I'm seeing strange behavior when an iframe first loads in terms of session management. If I try to start a new session and set a session variable when the iframe content initially loads on a cross-origin domain, Firefox will not send the cookie containing the session ID with the next request (even if withCredentials is set on the ajax call). However, if the user interacts with the iframe and an ajax request is made as a result of the user interaction, the subsequent calls will respect and use the session cookie retrieved from the first interacted call. Is this intended behavior?
Basically, if I load this iframe on https://domain.com (and the iframe is loaded and the user is not interacting with it):
- Code: Select all
<iframe src="https://domain1.com/test.php"></iframe>
And test.php contains the following:
- Code: Select all
<?php
session_name("a_service");
session_start();
$_SESSION["yes"] = "yes";
?>
The next request won't send this original session cookie that contains the ID for the session where the "yes" session key has been set. However, if the user interacts with the iframe and clicks on a button that sends an AJAX request to https://domain1.com/test2.php which contains:
- Code: Select all
<?php
session_name("a_service");
session_start();
if($_SESSION["yes"] || $_SESSION["no"]){
echo "SESSION WAS MAINTAINED!";
}else{
echo "SESSION was NOT maintained...";
$_SESSION["no"] = "No";
}
?>
"SESSION was NOT maintained..." is output, and any session key set (in this case the "no" key since the "yes" key has no value since no cookie was sent from the initial load of the iframe) will be maintained on subsequent calls. So if the user clicks on the same button again, and https://domain1.com/test2.php processes the AJAX request as before, this time the session is maintained and "SESSION WAS MAINTAINED" is output.
So, it would seem that session cookies are only sent once the user has interacted with the iframe? If the user hasn't interacted with the iframe, any cookies set on load are considered 3rd party and may be blocked by the browser if the cookies setting is set to "Block cookies and site data - Type blocked: Cookies from unvisited websites"? I'd just like clarification as to when this setting will make Firefox not send any cookies retrieved from load and when it will store and send the session cookie back to the server once the user has interacted with the iframe.
Any help is appreciated.