Welcome Guest, Not a member yet? Register   Sign In
IE7's new security model not allowing cookie to be set in cross-domain iframe
#1

[eluser]daveWid[/eluser]
I know this is a pretty specific case, but I have a site where authorization is done with the default session library in CI (using 1.6.3) and it works great.

We then had to integrate a stripped down version of our login with a larger company to sit in an iframe. This works great in Firefox and even IE6 surprisingly. In IE7 the default security won't allow cross-domain cookies to be set, which in turn is breaking our login. (We don't want to get into training people on how to set cross-domain cookie preferences and my vote was to remove the iframe and push traffic to our site, but not an option either)

I looked at a few of the other Session libraries on the wiki and it looks like all of them rely on a cookie at some point. (usually to keep track of the session id)

Does anyone know of a library that only uses php native sessions without setting a cookie that is still secure?

Thanks for any help in advance!
#2

[eluser]Mike Ryan[/eluser]
Hi Dave,

If you have some control over the large company's site, how about something like this:
1) User goes to company.com and sees login form
2) Login form is submitted to company.com/login
3) Company.com/login sends a secure http request to your server with the username/password
4) Your server does the authentication and returns the result to company.com
5) If user authenticated successfully, company.com sets cookie

Although this still uses cookies, it would get around the cross-domain problem with IE7.




Theme © iAndrew 2016 - Forum software by © MyBB