Setting cookies from a different-domain-src iframe

1
votes

Here is the page in question: http://www.customazon.com/demo

The primary page (@customazon.com) loads an iframe containing the secondary domain(@gamekeg.com). I want to allow users to log into the Admin Control Panel with the password provided. The problem is, since it's a second domain, the browsers treat it as a "Third Party Cookie" and most reject them outright. I need to find a way to allow cookies to be set within this iframe. Asking the user to adjust their cookie settings is not an option.

Things I've tried:

  1. Setting a P3P short-version (many different versions of the CP= string) in the header: header('P3P:CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"');

  2. Creating (probably incorrectly, but I did the best I could manage) a P3P long-version with policy.p3p and p3p.xml files.

  3. Some strange javascript loading a hidden iframe and posting to it (Safari workaround?).

Nothing has worked in the slightest. ANY help that could be given to find a way to allow this would be great.

1
phpsecurityiframecookiescross-domain

1 Answers

3
votes

(I may have gotten the domains switched around in this answer, but the theory should be the same.)

Your best bet would be to do a cross-domain AJAX request from the gamekeg.com login page to customazon.com (you'll need to send some special headers to allow the cross-domain request — read more on that link). Under normal circumstances, this is impossible unless you control both sites (which you seem to).

On the gamekeg.com login page, after the user has successfully logged in, you can make a call like this:

// I don't expect you to use jQuery, but I don't recall the entire
// AJAX process off of the top of my head. You may have to set
// xhr.withCredentials = true or something.
$.ajax(
    "http://customazon.com/ajax_login.php",
    {
        "username": <?php echo $username; ?>,
        "password_hash": <?php echo $password_hash; ?>
    }
);

ajax_login.php might be something like:

// Send appropriate cross-domain headers here.
// In addition, you must configure your crossdomain.xml in your root.
header("Access-Control-Allow-Methods: GET, POST, OPTIONS");
header("Access-Control-Allow-Credentials: true");
header("Access-Control-Allow-Origin: http://source.com");
header("Access-Control-Allow-Headers: Content-Type, *");
if (isset($_POST["username"]) && isset($_POST["password_hash"])) {
    setcookie("username", $_POST["username"], time() + 24 * 60 * 60);
    setcookie("password", $_POST["password_hash"], time() + 24 * 60 * 60);
}

Then, on the frame container, you can do a check every so often to see if the user is logged in (readCookie taken from QuirksMode):

function readCookie(name) {
    var nameEQ = name + "=";
    var ca = document.cookie.split(';');
    for(var i=0;i < ca.length;i++) {
            var c = ca[i];
            while (c.charAt(0)==' ') c = c.substring(1,c.length);
            if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
    }
    return null;
}

function checkAjaxLogin() {
    if (readCookie("username") !== null && readCookie("password")) {
        // You're logged in now; refreshing the page should
        // do the rest, assuming the cookies are named correctly.
        window.location.refresh();
    }
}

If you can use Flash, however, the process might be expedited as Flash requests don't care about cross-domain policy. However, I haven't the skill in Flash to provide an example and there's probably plenty, anyways.