Minority Opinions

Not everyone can be mainstream, after all.

Cooking as the Third Party

leave a comment »

An obscure bug with an obscure solution was brought to our attention one weekend.  The next weekend, we were informed that the same symptoms were displayed by another browser.  Safari rejects our third-party session cookies even with a P3P header, requiring much more drastic measures.  So drastic that I’m not sure which route we’ll take.

In essence, Apple disliked Google’s iframe cookies so much that a domain can’t create its first cookie at all, as far as my limited experiments can discover, unless it’s the domain loaded in the top frame.  Thereafter, iframes are free to set and modify cookies, but that first one must come from the outside.  So what can you do?

  1. Live without cookies.  If you need sessions, pass them around in GET or POST variables to every single page.  Somewhat less than ideal, but possible; PHP even has some built-in support for this.  The good news is that within an iframe, the URL junk won’t even be displayed to the user.  Unless they hover over a link to see where it goes, anyway.
  2. Pop up a new tab or window to set a cookie just before closing itself.  Distracting, but should only be necessary once per session, maybe even once per browser.  To bypass popup blockers, it will probably have to be done by a link that the user clicks, and then the iframe will want to know when it can reload, but those are minor annoyances.
  3. Convince the outer page to redirect to a page on your site, than then redirects back to the page with the iframe.  Of course, this relies on a solid partnership with the outer domain, or at least control over the link that the user clicks.
  4. Forcibly redirect the outer page with Javascript, then use Javascript to go back after setting the cookie.  This seems to work almost invisibly, but relies on a bit more black magic than I’m normally comfortable with.

Written by eswald

13 Aug 2013 at 7:16 pm

Posted in Technology

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s