I have a php application that pulls in pages from a separate domain via iframes. These pages are using cookies.
I've noticed some browsers have a default set that blocks any external cookies. This is going to cause quite a problem for me.
I've heard mention of P3P but can't find much mention about how to implement it with cookies.
Any help most appreciated,
Jonesy
It would be extremely bad if you could access an external site's cookies just by embedding it in an iframe. Just imagine if you were able to access facebook.com's session cookie just by embedding it.
Just to clarify what Maerlyn is saying - what you're describing is impossible. The website can only access cookies from its own domain. When you go to facebook.com, your facebook cookies are sent to that domain. When you go to google, your facebook cookies are NOT sent there. There is no way for Google to look at your Facebook cookies. Even it uses iframes. Period. This is a security feature.
So, I suggest you look at other ways to design your software system. For example, if the website you're embedding has an API, I'd use that. Or do a back-end service synchronization to pull in user information. In any case, you need the consent of the other service / other domain to do this.
Related
I am trying to load an iframe across domains, in order to reuse a form submission that collates data into a single point.
I have managed to get most of the functionality and styling working cross domains, enabling CSP policies etc, but I am having issues with Safari and trying to set first-party cookies.
I have used some of the older techniques for setting first-party cookies with redirects, but for whatever reason, the cookies aren't set when I use the redirect to the embedded domain in order to set domains. I think the main issue with the redirect is that you need to have a user interaction as per the Webkit specifications.
I am trying to make this experience as seamless as possible for the user.
Any feedback appreciated, using PHP, NGINX and some JS, HTML & CSS.
I have access to the remote server that will be referenced in the iframe, but will also be liaising with the developer for the domain where the iframe will be embedding
I have a use case where I need to be able to access my site from the local server. Specifically, it's for a HTML-to-PDF export of parts of various pages, but this would be nice for testing parts of the website as well.
The problem is that we have a login splash page, which needs to be dealt with before I can access any parts of the website. It would be really nice if I could just call a command "wkhtml2pdf 'localhost/[myurl]'" and have it PDF some stuff, but it hits this splash page.
Is there some way that I can perma-persist just one single session on the server? Or enable login-less access from localhost? Or could I just add a new Apache entry that accesses our site, whitelists only localhost and somehow circumvents the login?
What's the best solution?
You can pass your session cookie as parameter in wkhtml2pdf to solve your problem.
You can also execute it from a php file like this.
exec("wkhtmltopdf --cookie '{$cookieName}' '{$cookieValue}' http://example.com");
Soliciting feedback on this solution now:
I whitelisted localhost via $_SERVER['REMOTE_ADDR'] in the login scripts to bypass the usual user authentication and get an automatic localhost-user login. The server is running, however, on a university LAN, so the LAN maybe really big, possibly enabling bidirectional TCP spoofing.
Should I be worried about this, or does someone need admin rights on the routers or something? I trust the IT folks, but not others.
I realize that this sounds like a separate question, but I feel that security relates to whether or not this is a good solution.
I am creating a website with wordpress. In firefox, when I am trying to login, it give me a error ERROR: Cookies are blocked or not supported by your browser. You must enable cookies to use WordPress.
Then, I enable cookies in firefox, it is OK. However, I want to know do I have another way to fix this because I don't want to require all user to enable cookies to login since some user might not know how to do it.
Yes, you have to have cookies enabled in order to login to WordPress. Note that the front-end of your site should work fine without cookies, so long as you haven't incorporated any features that rely on cookies.
I don't think you're going to have much of an issue with people needing to enabled cookies, because the vast majority of people would not have disabled them in the first place. Anyone who has disabled cookies is going to have issues with a lot of sites, not just yours. It's likely that they will know how to enable cookies because, 1) they disabled them in the first place and 2) they will probably have done it for other sites.
That said, there is at least one way you could accomplish a cookie-less login, but WordPress does not support this approach out of the box. See:
PHP session without cookies
WordPress does not use PHP sessions by default, but with a bit of work you could override the default authentication handling and use a cookie-less session. It would take a lot of care to accomplish this without injecting security issues into your site (ex: session hijacking).
My advice is: Just have a cookie!
Cookies are required
There is no way to login to WordPress without cookies enabled. It is the only way. Cookies are Extremely common and users these days are accepting to this requirement for a logged in experience.
Take it from me, I get paid to speed up WordPress sites with Varnish caching and I am 100% positive that cookies are required to login.
I have started to learn PHP a couple of weeks ago, and now I would like to create (even a simpler version would be acceptable for me) a website such as:
www.cookiebot.com/en/start
cookie-checker.com
So I would like to create a form where the user can type the domain from which she/he would like to know which cookies are sent/used in that website.
Whether are third party cookies or not, and so on.
On the Internet I have found several different answers to this question, some people told me is not possible to get such cookies, others told me is possible but they have not been able to explain me, and so on.
So my question is: can somebody explain me theoretically how a website like that one works?
Does PHP have a function to get cookies or cookies information from the website and let the developer read the cookies at least to know what kind of cookie it is?
Or maybe is there any way to read the cookies stored on my computer when I visit a website?
Thank you very much!
No.
The browser explicitly saves cookies on a per-domain and even per-directory basis. When the server sets a cookie, it can specify within limitations whether a cookie is valid for subdomains or not and what path it should be valid for. However, cookies cannot be set cross-domain or read cross-domain. The browser will not send cookies back to other servers, and client-side Javascript has no access to cookies from other domains either.
In short, you cannot have a website which has access to cookies set by some other website. And that is a good thing. Otherwise security would be non existent on the web.
I have a website which creates a cookie and I want to use this cookie in my application on Facebook. is it possible? if not, any idea how to recieve information from my website and pass it to Facebook?
You can't share cookies across domains - just subdomains. That's by design, and important (tm).
Can you have the user log in to your site using Facebook Connect to share a session across the two sites?
Just as Andy said, you can't share cookies across domains and this is an important security feature. Another thing you can't do is make cross-domain AJAX requests.
What's odd about your question is you're asking about a facebook application. Facebook applications are not hosted by facebook, so therefore you are hosting the application yourself. Since you are hosting the application yourself, it is possible you're hosting the application on the same server and even domain. Therefore if that is the case, as long as your facebook application is using an iframe and points to the application hosted on the same domain you can have cookies accessed from both the application and the website. But again, I repeat this is only if your facebook application is using an iframe and pointing to a domain that is the same as your website.
Tip: If your application or website is a subdomain, make sure to put a dot before your cookie to make it accessible on all subdomains. i.e. .domain.com