I posted this question on StackOverflow earlier today:
https://stackoverflow.com/questions/543 ... nt-conside
Is there any documentation from Mozilla or anyone else regarding sessions in iframes or what the definition of 3rd party cookies is? Basically, I have an embeddable iframe widget that can be used on any website. With the proper CORS headers set, I'm seeing strange behavior when an iframe first loads in terms of session management. If I try to start a new session and set a session variable when the iframe content initially loads on a cross-origin domain, Firefox will not send the cookie containing the session ID with the next request (even if withCredentials is set on the ajax call). However, if the user interacts with the iframe and an ajax request is made as a result of the user interaction, the subsequent calls will respect and use the session cookie retrieved from the first interacted call. Is this intended behavior?
Basically, if I load this iframe on https://domain.com (and the iframe is loaded and the user is not interacting with it):
Code: Select all
<iframe src="https://domain1.com/test.php"></iframe>
Code: Select all
<?php
session_name("a_service");
session_start();
$_SESSION["yes"] = "yes";
?>
Code: Select all
<?php
session_name("a_service");
session_start();
if($_SESSION["yes"] || $_SESSION["no"]){
echo "SESSION WAS MAINTAINED!";
}else{
echo "SESSION was NOT maintained...";
$_SESSION["no"] = "No";
}
?>
So, it would seem that session cookies are only sent once the user has interacted with the iframe? If the user hasn't interacted with the iframe, any cookies set on load are considered 3rd party and may be blocked by the browser if the cookies setting is set to "Block cookies and site data - Type blocked: Cookies from unvisited websites"? I'd just like clarification as to when this setting will make Firefox not send any cookies retrieved from load and when it will store and send the session cookie back to the server once the user has interacted with the iframe.
Any help is appreciated.