Geek Answers Handbook

Facebook apps (iframes) and third-party cookies

I have a Rails application that runs inside a Fabebook as iframe. I use the Koala gem to communicate FB (also SD SDK for some parts) and Devise as an authentication base.

For some time, I saw some problems with the problem that the application runs inside an iframe. Therefore, third-party cookies cannot be set. For IE, I use the P3P header, which somehow mitigated the problem.

But all this is very confusing. I'm on Snow Leopard.

For example:

  • With Safari 5.1.1, I installed "Block cookies from third parties and advertisers." The application works fine and can be used without problems.

  • In Chrome 5.0.874 (last update), the option "Block third-party cookies" was checked, so the two main cookies that my applications set (cookies and fbs_xxxx cookies) cannot be set so the application does not work, because the user needs authentication all the time.

  • Opera 11.52 has no links to third-party cookies, and the browser is set to "accept cookies only from sites that I visit." My application works with this setting.

  • With Firefox 7.0.1, my application works, but I just could not find any settings related to cookies. Just delete them.

Apparently my problem is with Chrome, but the same setup works with Safari. Therefore, I am really confused.

Asks the user to allow third-party cookies the only solution to this problem?

Thanks.

UPDATE TO MY CURRENT DECISION OF WORK

I conducted additional research and tests. I tried using alternative Rails methods to store sessions. By default, they are stored in a cookie, but you can store session data in memory, db, etc. But this is not enough, because it still uses a cookie with a pointer to the alternative storage that you choose.

In the end, I set some URL information that allows me to find the identity of the current registered user, get the user, and manually sign this user using the devises sign_in method. I don’t like it very much, but now I can block third-party cookies and it still works. I will make changes later and instead of having real information, I will have a key to the memcached entry, from where I will get the user (previously installed), because only my application should have access to this memcached server.

Thanks.

+7
source share
2 answers

If cookies cannot be set, set the session identifier at the end of the URL.

+2
source

Firefox has a rather unintuitive placement of cookie settings. Open "Tools" β†’ "Options" - "Privacy" and select "Use user settings for history" in the drop-down list, after which the cookie settings will appear. But they will disappear again if you set them by default.

There are large discrepancies in the definition and processing of third-party cookies (for example, in Firefox, the ban is not only on setting cookies, but also on reading them). For this reason, I would recommend, if at all possible, to eliminate any dependence on cookies. It's already hard enough to tell users that they must turn on something that sounds unsafe (not to mention providing all the different instructions on how to do this for each browser), and this will only get worse as browsers continue to tighten their settings default. Unfortunately, all standard libraries seem to want to use cookies by default, so this is not an easy task, but if you are just starting to program your application, I think it would be worth it to try and find a cookieless way to do something directly with a bat.

+1
source

More articles:


All Articles