How to retrieve Facebook cookies with cross-domain and Safari - php

I've been working on this problem all day long, so I really need your help.
I'm trying to create a multi-site login system with Facebook Connect and unfortunatly I can't retrieve Cookies.
Here's a little more details:
I'm having a website (www.first.com) which has an iFrame to www.second.com, which display the Facebook Connect button. I have to use this method because a Facebook App is only valid for 1 website, and I will need to use it on multiple.
When the user clicks on the button and log into Facebook, he is redirect to www.second.com, which saves values in a database, which is later retrieved on www.first.com
Everything is working fine in Firefox, IE 8/7 works fine too since I've added the P3P header.
The problem is that I can't make it work on Safari, which requires some kind of interaction from this user to the iframe.
I found a code ( http://anantgarg.com/2010/02/18/cross-domain-cookies-in-safari/ ) but I'm not sure how to use it, I've tried every possible way (I think), and nothing. I guess it doesn't work because I would need to use this on Facebook's server (which i can obviously ;) )
Does anyone have an idea?
Sorry for the huge block of text ;) let me know if you need more information.

Cross Domain Cookies sounds like a security-bug.
Are you sure you don't offend against the same origin policy?
In fact afaik, you can't access a cookies for first.com from second.com

Related

Session ID change with every load inside iFrame when disabled Third-party cookies in the browser

I am searching for answers across Internet, but most of the answers are old that does not work anymore or they involve changing the host and the remove server. I want a solution where I can give a working iframe html code to my clients and they can embedded it into their website's and use the build-in shop from my website into their website. The website opens successfully, but the session changes every time there is a new request. I tried put this on my server end, but this is not working
session_set_cookie_params(["SameSite" => "None"]); //none, lax, strict
session_set_cookie_params(["Secure" => "true"]); //false, true
session_set_cookie_params(["HttpOnly" => "true"]); //false, true
I am open to idea's for my problem. After a lot of digging I can see that Chrome changed something and now you can't have persist session from one site to other, because of hacking attacks I guess.
Is there a way to keep the session between pages in Chrome 106 and above is my question without changing anything to the remote server website?
Update: #Cbroe is right this is happening probably because I disabled the Third-party cookies in my browser, but is someone give me a working solution to that I will be more then glad or if there is a working solution to that at all or I have to change my code and send the session with GET/POST requests like CBroe is suggesting.

Cookie issue on google chrome

I encounter a cookie issue with my website.
When a customer click on "remember me" before log-in, a cookie is created, and then when he leave and come back later, he is automatically re-logged.
It works on firefox/IE & co, but not for chrome...
I have wrote a little script to test the cookies creation on chrome. Here it is :
<?php
if( isset($_GET['test']) ) setcookie('TESTSOMECOOKIE',1234,time()+60*60*24*365);
?>
It can't be more simple!
When I run the script :
The cookie is created properly.
If I close the tab and open a new one (without pass the test param), the cookie still exists.
If I close google chrome and re-open it, and go to the test script (without pass the test param), the cookie is not present anymore... and if I do that on firefox or IE no problem the cookie still present in all cases.
I'm trying this on a webserver ( not a local IP address ).
I have NOT activated the private navigation on chrome.
Cookies are enabled and works like on gmail/facebook, etc... chrome keep the cookies for these sites!
I already checked other issues posted on the web but no real answers about that...
So, this is a very weird issue that I would like to solve if possible.
If anyone have an idea...
Thank you very much for your suggestions and sorry for my english
Try to see if Keep local data only until I quit my browser is checked.
Its located in Settings > Content Settings > Cookies.
See if that helps.

Hot to fix HTTP error code 500 received on IE when redirecting user to URL provided by getLoginURL()

So, I have this PHP application that uses FB Connect for authenticating it's users. Everything looks right in Chrome and Firefox and as far as I knew it did work before on IE.
For a couple of days now I cannot make it work in IE anymore, even though I haven't changed anything.
The idea is simple. When an users goes to http://myapp.com/login we redirect him (with an header('location:'.$facebook->getLoginURL()); command) to an URL provided by FB PHP SDK, that is getLoginURL().
Now, as I stated, in Chrome and Firefox it looks and works as intended and the user is presented with FB's login form. But in IE all that we get is a message that says The website cannot display the page and it's HTTP response code is set to 500.
Any idea what that could be?
Later edit
We found out that on some computers it does work on IE as well. So that makes it even more frustrating. What's different between 2 different computers both running IE10 on Windows 8 on the same WiFi network?
Another update
So we compared the URLs that getLoginURL() returns in Chrome and IE10 and they look like this:
IE10:
https://www.facebook.com/dialog/oauth?client_id=1234567890&redirect_uri=http%3A%2F%2Fdev.puzzled.by%2Flogin%2Fpopup&state=80c85248af70ed5b0a1826e4e1662b79
Chrome:
https://www.facebook.com/dialog/oauth?client_id=1234567890&redirect_uri=http%3A%2F%2Fdev.puzzled.by%2Flogin%2Fpopup&state=0172ab20d05eeab382cd5a0f4340fedd
So they look the same. But IE10 just returns an HTTP 500 error code.
P.S: Please keep in mind that the real client_id is different. We just changed it in this post for security reasons.
We've "fixed" this on our side at least... We cannot know if our users are having the same problem and if they have it's kind of sad because we can't help them :)
What we did was to delete all saved cookies from IE and it just worked... Crazy a?

Block facebook from my website

I have a secure link direction service I'm running (expiringlinks.co). If I change the headers in php to redirect my visitors, then facebook is able to show a preview of the website I'm redirecting to when users send links to one another via facebook. I wish to avoid this. Right now, I'm using an AJAX call to get the URL and javascript to redirect, but it's causing problems for users who don't use javascript.
Here are a number of ways I'd like to block facebook, but I can't seem to get working:
I've tried blocking the facebook bot (facebookexternalhit/1.0 and facebookexternalhit/1.1) but it's not working, I don't think they're using them for this functionality.
I'm thinking of blocking the facebook IP addresses, but I can't find all of them, and I don't think it'll work unless I get all of them.
I've thought of using a CAPTCHA or even a button, but I can't bring myself to do that to my visitors. Not to mention I don't think anyone would use the site.
I've searched the facebook docs for meta tags that would "opt-me out", but haven't found one, and doubt that I would trust it if I had.
Any creative ideas or any idea how to implement the ones above? Thank you so much in advance!
Try this - it works for me ...
<?php
$ua = $_SERVER['HTTP_USER_AGENT'];
if (preg_match('/facebookexternalhit/si',$ua)) {
header('Location: no_fb_page.php');
die() ;
}
?>
You could try to get the logfile of your Webserver, and search there for unusal useragents. (maybe containing facebook)
Or, otherwise get the Logs and delete every containing internet explorer/firefox/opera...
Then you should have only bots useragents in the end.
Then you could search for the facebook one.
All you need to do is appropriately set up robots.txt.
http://www.robotstxt.org/robotstxt.html
You could try using a meta refresh instead of a javascript redirect. They work for all browsers and because the page still returns a 200 response any crawler should stop resolving there.

how to track from where visitor come to my site php

I want to track the site URL from where user reached my site.
From where he came i.el, Google, GMail, Facebook, etc.
I tried $_SERVER['HTTP_REFERER'] but it does not contain anything when user click on my site link from any external site but resides the value when I visit among my site pages and this is also not trusted.
So, What I can do from here?
Is there any other way to track the external URL through PHP?
Any idea?
EDIT: Now HTTP_REFERER is able to get the url from most of sites but not able to get the url if user came through Gmail and AOL. What could be the causes?
HTTP_REFERER is the only way to get any information about previous site.
And that is also up to the broser if it supplies that information, most do as default.
Its a header that is set by the browser in the request to your server, if it is not present, then you will never know where the user came from.
If the browser is sending and you still to not get anything on the server check if you have any code that interferes with the $_SERVER variable.
Try this URL, its a google search result that goes to a page that just dumps the HTTP_REFERER.
As the pages indicates, if the box lists (none), then your browser is not sending HTTP_REFERER but if you get a result then the problem is in sour server.
http://www.google.com/url?sa=t&source=web&cd=1&sqi=2&ved=0CBIQFjAA&url=http%3A%2F%2Fkarmak.org%2F2004%2Freftest%2Ftest&rct=j&q=http_referer%20test&ei=cNQ2TdGYGsmUOp_ExPoD&usg=AFQjCNFVSmYmQBUcL2l3_ZpmZzVWZztjWg&cad=rja
You can compare it to when you load the page withour google to redirect you:
http://karmak.org/2004/reftest/test
Here is their own start page with link:
http://karmak.org/2004/reftest/
Have you tried it in a variety of browsers? It's down to the browser (As far as I'm aware) to set HTTP_REFERER and sometimes privacy settings can prevent this.
Visitors coming from google can be tracked using google analytics, it gives you the search query terms used before.
This solution also track a lot of other things from your visitors. I undertand it's not PHP based, but it's the only other kind of solution I know if HTTP_REFERRER is not enough to you, and as you quoted google...

Categories