New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue with sessions in iframes #319
Comments
Is it a different subdomain? Is everything/nothing https? |
It is the same subdomain, and nothing is HTTPS yet. The only differences are:
All pages under The middleware for authentication is really simple: function handleLogin(req, res) {
const username = req.body.username, password = req.body.password;
db.verifyLogin(username, password)
.then(authorized => {
req.session.loggedIn = authorized;
return authorized;
})
.then(authorized => res.status(authorized ? 200 : 400).send())
.catch(err => res.status(500).send(err.message))
} The middleware to check if they are logged in is similarly simple: function isUserLoggedIn(req, res, next) {
if (req.session.loggedIn) { return next(); }
console.log('Redirecting session %s to /, not logged in', req.sessionID);
return res.redirect('/');
} Yet, if I log the session ID in both places, then I get two different session IDs: function logRequests(req, res, next) {
console.log('HTTP %s %s | Session %s', req.method, req.originalUrl, req.sessionID);
next();
} Returns something like (I'm not at work so I don't have the exact log, but it's similar to this): |
What browser is this? I don't think you will need to ask the parent window for cookie information. The browser should see a request for a certain domain and append the cookie for you if the domain/path abide to the initial responses |
I setup a quick and dirty It looks like, since the domain was the same, there were no issues picking up the cookie.
|
Wow, @shaunwarman, thanks for going to all this trouble. With your help I've been able to track down the issue: our route that controls authorization was a little different than I remembered (when I provided the example code I was going from memory as I was not at work), and was forcing a session resave. However there was a bug in our session store implementation that was causing this to regenerate a new (blank) session. We have not yet implemented anything else that will depend on the logged in session, so it looked like the issue was the iframes where in reality it was our log in process. Sorry for taking everyone's time, and thanks for the assist! |
No problem at all! Glad you found the issue. |
Hello!
My website has a main application, and sets of content loaded in an iframe.
The content of the iframe comes from a specific route in the application, so coming from the same domain/host.
However, when I set an express session, inside the iframe is a different session ID- something is making it set a new cookie.
I know there are issues setting "third party" cookies in an iframe, but this iframe is loading content from the same host. Does anyone have any idea what I could do to resolve this?
Thanks!
The text was updated successfully, but these errors were encountered: