Geek Answers Handbook

Session null in IFrame in ASP.net MVC only in Safari browser

The page contains an IFrame, and the session is null only with Safari. My version of Safari is 5.1.7

I am using MVC 4.5 Everything works fine in other browsers. I am using the code below.

protected override void OnResultExecuting(ResultExecutingContext filterContext) { base.OnResultExecuting(filterContext); filterContext.HttpContext.Response.AddHeader("p3p", "CP=\"CAO PSA OUR\""); GetFirstError(); }
+7
c # asp.net-mvc asp.net-mvc-3 asp.net-mvc-4
source share
4 answers

we had exactly the same problem - the FB application did not work in Safari in the ASP.Net MVC project. Here is what we did to fix this:

  • Add P3P header to all repositories. You can configure it at the IIS server level: http://support.microsoft.com/kb/324013 - or do it directly in global.asax:

     protected void Application_BeginRequest(Object sender, EventArgs e) { HttpContext.Current.Response.AddHeader("P3P", "CP=\"NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT\""); }

  • Create a w3c folder in the root directory of your site (the so-called known location) and upload the p3p.xml and policy.p3p files to it in accordance with this Microsoft guide: How to deploy P3P privacy policies on your website

here is my p3p.xml file:

 <META> <POLICY-REFERENCES> <POLICY-REF about="/w3c/policy.p3p"> <INCLUDE>/</INCLUDE> <COOKIE-INCLUDE/> </POLICY-REF> </POLICY-REFERENCES> </META>

and policy.p3p (sorry, but I'm not sure how to hide this as a spoiler):

 <?xml version="1.0"?> <POLICIES xmlns="http://www.w3.org/2002/01/P3Pv1"> <!-- Generated by IBM P3P Policy Editor version Beta 1.12 built 2/27/04 1:19 PM --> <!-- Expiry information for this policy --> <EXPIRY max-age="86400"/> <POLICY xml:lang="uk"> <!-- Description of the entity making this policy statement. --> <ENTITY> <DATA-GROUP> </DATA-GROUP> </ENTITY> <!-- Disclosure --> <ACCESS><nonident/></ACCESS> <!-- No dispute information --> <!-- Statement for group "Basic information" --> <STATEMENT> <EXTENSION optional="yes"> <GROUP-INFO xmlns="http://www.software.ibm.com/P3P/editor/extension-1.0.html" name="Basic information"/> </EXTENSION> <!-- Consequence --> <CONSEQUENCE> Data collected from all Web users: access logs, and search strings (if entered).</CONSEQUENCE> <!-- Use (purpose) --> <PURPOSE><admin/><current/><develop/></PURPOSE> <!-- Recipients --> <RECIPIENT><ours/></RECIPIENT> <!-- Retention --> <RETENTION><indefinitely/></RETENTION> <!-- Base dataschema elements. --> <DATA-GROUP> <DATA ref="#dynamic.clickstream"/> <DATA ref="#dynamic.http"/> <DATA ref="#dynamic.searchtext"/> </DATA-GROUP> </STATEMENT> <!-- Statement for group "Cookies" --> <STATEMENT> <EXTENSION optional="yes"> <GROUP-INFO xmlns="http://www.software.ibm.com/P3P/editor/extension-1.0.html" name="Cookies"/> </EXTENSION> <!-- Consequence --> <CONSEQUENCE> Cookies are used to track visitors to our site, so we can better understand what portions of our site best serve you.</CONSEQUENCE> <!-- Use (purpose) --> <PURPOSE><develop/><tailoring/></PURPOSE> <!-- Recipients --> <RECIPIENT><ours/></RECIPIENT> <!-- Retention --> <RETENTION><business-practices/></RETENTION> <!-- Base dataschema elements. --> <DATA-GROUP> <DATA ref="#dynamic.cookies" optional="yes"><CATEGORIES><uniqueid/></CATEGORIES></DATA> </DATA-GROUP> </STATEMENT> <!-- End of policy --> </POLICY> </POLICIES>
+9
source share

Safari is installed, DO NOT accept third-party cookies by default. This means that when you visit domain A and embed domain B in an iframe, it will not accept cookies from B until the user interacts with the contents of the iframe.

This script bit me a lot during the development of the facebook application, which required sessions, and the client did not decide to tell the user to enable third-party cookies. This is a workaround that I have implemented and has been working since then:

  • check if the User-Agent header contains the Safari line
  • make sure we don’t buy files at all
  • If both of the above are true, redirect javascript to my domain to a special cookiefix page (which means the following outut: <script>top.location = "http://example.com/cookiefix";</script> ) - JS is required to throw out iframe
  • do nothing on this page except set a dummy session variable
  • redirect to the original page and enjoy my session cookie, which is technically a third-party cookie, but it is already accepted and does not need cange
+7
source share

Use the request trace and look at the cookie of the incoming request or use the debug proxy server to view the values ​​on the client (or browser debugging tools). Cookies disabled? Whether your session pointer changes every time it comes from the server to the client - in this case, the session does not remain established.

0
source share

One way is to disable cookies so as not to block it. in the following way.

Go to the "Settings" section.
Select "Privacy"
"Block cookies"

-one
source share

More articles:


All Articles