Highlighted

#SESSION# variables and iFrame

LEGEND ,
Sep 10, 2015

Copy link to clipboard

Copied

Hello, all,

I've got a page that contains an iFrame.  When loading the parent via HTTP, the page loading in the iframe via HTTP can see session variables with no problem.

However, when I load that same parent page HTTPS _and_ the iFrame via HTTPS, the iFrame src page does NOT see session variables set in the parent page.

Both are loading HTTPS, both same domain, same port.

Parent: https://www.domain.com/dbw/tt/index.cfm

iFrame: https://www.domain.com/dbw/tt/contactus.cfm

I'll check CFID and CFTOKEN on both, but I suspect they are the same.  UPDATE:  I can confirm that in my DEV environment, CFID and CFTOKEN are the same for both parent page and iFrame page.

What could be causing this?

V/r,

^_^

Views

2.0K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

#SESSION# variables and iFrame

LEGEND ,
Sep 10, 2015

Copy link to clipboard

Copied

Hello, all,

I've got a page that contains an iFrame.  When loading the parent via HTTP, the page loading in the iframe via HTTP can see session variables with no problem.

However, when I load that same parent page HTTPS _and_ the iFrame via HTTPS, the iFrame src page does NOT see session variables set in the parent page.

Both are loading HTTPS, both same domain, same port.

Parent: https://www.domain.com/dbw/tt/index.cfm

iFrame: https://www.domain.com/dbw/tt/contactus.cfm

I'll check CFID and CFTOKEN on both, but I suspect they are the same.  UPDATE:  I can confirm that in my DEV environment, CFID and CFTOKEN are the same for both parent page and iFrame page.

What could be causing this?

V/r,

^_^

Views

2.1K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Sep 10, 2015 0
Advocate ,
Sep 10, 2015

Copy link to clipboard

Copied

Are you using J2EE Sessions? Are you sure there is not elements on the page causing it not to load HTTPS fully? i.e. links to scripts / resources with http:// prefixes. Does this happen on all pages or just the ones you specified?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 10, 2015 0
LEGEND ,
Sep 10, 2015

Copy link to clipboard

Copied

Currently, the only page where I am loading an iFrame is this one page.  All script/css links are "/script/blah.js" or "/style/page.css", so the protocol should be the same.

DEV environment is NOT using J2EE sessions.  I do not have access to CFAdmin in production/staging, but I'll ask.

V/r,

^_^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 10, 2015 0
LEGEND ,
Sep 10, 2015

Copy link to clipboard

Copied

I just got word from our SA.  Production is using J2EE memory variables.  Could this be causing the issue?  It appears as though (in the production environment) the iFrame .cfm file is getting different JSESSIONID variables.

V/r,

^_^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 10, 2015 0
Advocate ,
Sep 11, 2015

Copy link to clipboard

Copied

Do you have load balancers in front of your server? Are you also using the full URL for the iframe? https://... etc or just the relative page /dbw/tt/contactus.cfm?


Also where are your session variables being set? Are you doing something in the onSessionStart() ?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 11, 2015 0
LEGEND ,
Sep 11, 2015

Copy link to clipboard

Copied

No load balancers.  Full URL (protocol, domain, and port match between parent and iframe src.)  Session variables are being set in the parent page.  They are for a kind of CAPTCHA.  Basically, the parent page runs a component function that randomly selects a word math equation and a corresponding numeric answer, saves them to the session scope, and the processing page matches the user input to the session saved answer; if they don't match, display an error message; otherwise, process the form data.  It's part of a two-pronged defense, the other part being a honeypot.

One thing I did notice was that if I dump the session for both parent and iframe, CFID and CFTOKEN match, but JSESSIONID changes for both on every page load.

Also, this _was_ working in DEV.  Then I set J2EE to enabled in DEV, and I'm getting the exact same error message, now, that a variable doesn't exist in the session scope.  Turn J2EE off, and it works just fine.

V/r,

^_^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 11, 2015 0
Advocate ,
Sep 11, 2015

Copy link to clipboard

Copied

Do you run a cluster of any kind?

I setup a test to set session vars across iframes with j2ee both enabled and disabled and I got it to work fine each time.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 11, 2015 0
LEGEND ,
Sep 11, 2015

Copy link to clipboard

Copied

No clusters.  The only thing that comes close is fail-over, and we have only one server set as primary, and it hasn't been failing through any of this.

Here's a question.  If a page is located at https://www.domain.com/index.cfm and contains <script src="/js/form.js"></script>, the /js/form.js is going through https, is it not?

V/r,

^_^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 11, 2015 0
Participant ,
Sep 15, 2015

Copy link to clipboard

Copied

I replied to your other thread on this topic before seeing this one. Oops.

I set up a test on my dev CF10 server with J2EE enabled, the iframed cfm file has no problem seeing SESSION vars set in the parent.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 15, 2015 0
LEGEND ,
Sep 15, 2015

Copy link to clipboard

Copied

Going through HTTPS?

V/r,

^_^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 15, 2015 0
Participant ,
Sep 15, 2015

Copy link to clipboard

Copied

Yes, I tested every variation of HTTP and HTTPS in the browser address bar and in the IFRAME tag. The iframed cfm was always able to output the SESSION var set in the parent file.

Do you have the "Use UUID for cftoken" box checked in the main CF Admin Settings page? My server does have that option checked. I didn't want to test unchecking it because other developers are working on the same server.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 15, 2015 0
LEGEND ,
Sep 16, 2015

Copy link to clipboard

Copied

mkane1‌, I have asked our SA about that (I do not have access to CFAdmin in production environments.)

As far as our dev environment, J2EE is off (currently; if we can fix this, I'll turn it on); Application and Session variables are enabled; cookies are HTTP only; Secure Cookie is disabled; updating CF internal cookies using CF tags/functions is allowed; UUID for cftoken is NOT checked.

V/r,

^_^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 16, 2015 0
Participant ,
Sep 16, 2015

Copy link to clipboard

Copied

Seems to me no need to worry about the production environment yet, you said that in your DEV server simply turning J2EE on or off caused or fixed the underlying problem. You could try enabling the UUID option. I doubt that is the problem, but it shouldn't hurt to try. I would think that enabling J2EE is necessary.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 16, 2015 0
LEGEND ,
Sep 16, 2015

Copy link to clipboard

Copied

mkane1 wrote:

I would think that enabling J2EE is necessary.

Me, too, which is why I'm so worried about it.

I wound up putting the iframe contents back on the same page that contained the iframe, which works, but doesn't help me understand what is "broken" about our production environment.

^_^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 16, 2015 0
LEGEND ,
Sep 17, 2015

Copy link to clipboard

Copied

I just got word from our SA - yes, "Use UUID for cftoken" is checked.

tribule‌, you had mentioned that, but you followed that with "FireFox would be fine, but IE and Chrome refused to work."  I assumed that was _after_ setting setdomaincookies to true.

V/r,

^_^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 17, 2015 0
Engaged ,
Sep 17, 2015

Copy link to clipboard

Copied

What I meant was this: in FireFox the frameset worked fine and kept the session (i.e. without setDomainCookies added). In IE and Chrome, the session was not kept and I got fatal errors (session does exist etc). After setting setDomainCookies to true, all browsers then worked fine. Hope that clarifies it. It seems to be a browser issue as much as a CF issue, since otherwise why did FireFox work fine? Enabling UUID for token and JSESSION id's did not solve our issue either, only setDomainCookies did. Strange, but true, and we are also using one domain everywhere.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 17, 2015 0
LEGEND ,
Sep 18, 2015

Copy link to clipboard

Copied

Understood, now. 

However, I've got J2EE enabled, setDomainCookies to true (in Application.cfc), and cookies set for HTTPonly.  Now, the .cfcs that process form data via AJaX are throwing the same session error messages - 'mAnswer not defined in session'.

WTF..

V/r,

^_^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 18, 2015 0
Engaged ,
Sep 18, 2015

Copy link to clipboard

Copied

I wonder if the server is patched and is installed correctly (old connector remnants perhaps)? Does your application work if you use FireFox? Also, did the frame retain the session with setDomainCookies set to true, or is that still an issue? Did you clear all cookies from your browser? I had to remove all cookies before it worked for me.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 18, 2015 0
Adobe Community Professional ,
Sep 21, 2015

Copy link to clipboard

Copied

WolfShade wrote:


However, I've got J2EE enabled, setDomainCookies to true (in Application.cfc), and cookies set for HTTPonly.  Now, the .cfcs that process form data via AJaX are throwing the same session error messages - 'mAnswer not defined in session'.

You might have stumbled by chance - luckily, perhaps - on a design issue you have to solve. The error message suggests that the CFC uses session variables. However, it also appears that the CFC is available to clients via an AJAX URL call.

Such a call is from "outside" the application, and may be made by anyone. Whereas, a session variable is within the context of the application, hence on the "inside". To improve your design, in general, ensure that a CFC that is accessible from the outside does not involve session variables.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 21, 2015 0
LEGEND ,
Sep 21, 2015

Copy link to clipboard

Copied

Hi, tribule‌,

So far, all testing producing errors has been in dev.  I just now pushed to staging, tested, and it worked, so I had our SA log on to the CFAdmin, and the J2EE was _NOT_ set.

As soon as he enabled it and restarted the CF service, BANG, the iframe document is not seeing the session variables set in the parent page.

I can only guess that since JSESSIONID is different for every page load (a supposed security feature), then the iframe document loads with a different JSESSIONID, so session variables are essentially worthless, in that case.

But, then, how to explain that you are NOT having the same issues?

The CFC does have a session variable conditional -- if (val(userInput) neq val(session.mAnswer)) { fail }.  This is part of my "captcha" used for preventing automated submission.  How can I get the session variable to the CFC??

V/r,

^_^

PS.  I used FF, IE, and Chrome.  I removed all cookies and cleared the cache (EVERYTHING).  setDomainCookies is set to true in the very beginning of application.cfc. 

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 21, 2015 0
LEGEND ,
Sep 21, 2015

Copy link to clipboard

Copied

It just occurred to me.  I work for US DoD.  It is likely that the issue isn't JUST J2EE, but a combination of that and another security-related setting, possibly in CFAdmin, possibly proxy-related.

What do you think?

V/r,

^_^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 21, 2015 0
Participant ,
Sep 21, 2015

Copy link to clipboard

Copied

Wolfshade, have you tried a simple test, no CFCs, very little code at all? I suggest creating a new folder, with only 3 files:

  1. application.cfc or cfm, with only code to create the application, enable SESSION management, and SetDomainCookies = true
  2. parent cfm, sets a SESSION var and creates the Iframe
  3. iframed cfm that checks if the SESSION var is defined and either displays it or "not defined".

That should help.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 21, 2015 0
Participant ,
Sep 21, 2015

Copy link to clipboard

Copied

BKBK wrote:

WolfShade wrote:


However, I've got J2EE enabled, setDomainCookies to true (in Application.cfc), and cookies set for HTTPonly.  Now, the .cfcs that process form data via AJaX are throwing the same session error messages - 'mAnswer not defined in session'.

You might have stumbled by chance - luckily, perhaps - on a design issue you have to solve. The error message suggests that the CFC uses session variables. However, it also appears that the CFC is available to clients via an AJAX URL call.

Such a call is from "outside" the application, and may be made by anyone. Whereas, a session variable is within the context of the application, hence on the "inside". To improve your design, in general, ensure that a CFC that is accessible from the outside does not involve session variables.

BKBK‌‌, if you are suggesting that the application pages should work with SESSION vars etc. and send pertinent details to CFCs as arguments, I would agree with that. Not sure about the inside/outside references.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 21, 2015 0
Engaged ,
Sep 21, 2015

Copy link to clipboard

Copied

Hi. Our JSESSIONID stays the same on every page, so different behaviour to yours again. Do you check for existence of the session.mAnswer variable before referring to it btw? BKBK asked the same thing. I expect you do, but it should be checked.

If your frames all have different JSESSIONID's then you would have a problem. I create my session variable upon a successful user login and then cflocation to a new page where the frameset is loaded. Your code logic may be different. Perhaps the DOD environment is the cause. I think you need to experiment with some different code examples, using frames and sessions, to see what results you get and see each frame can maintain the session. Very tough ones to solve these cookie/session issues.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 21, 2015 0
LEGEND ,
Sep 21, 2015

Copy link to clipboard

Copied

I did something similiar, and used CFDUMP in both parent document and iframe document.  The sessions did NOT match.

V/r,

^_^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 21, 2015 0
LEGEND ,
Sep 21, 2015

Copy link to clipboard

Copied

We are getting a different JSESSIONID with every page load.  If I display the JSESSIONID on a page, and refresh it over and over and over, each page load gives a different JSESSIONID.

EDIT:  I had read, somewhere, that this is supposed to happen - it's a security feature; changing the sessionid is supposed to suppress certain attacks.  HOWEVER, the information of the old JSESSIONID is supposed to be copied to the new JSESSIONID.  I think that's not happening, here.

session.mAnswer is present in parent page; iframe does not see it, nor does the CFC.

There is no login for this.  This is going to be the new public facing page.

V/r,

^_^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 21, 2015 0
LEGEND ,
Sep 21, 2015

Copy link to clipboard

Copied

I removed the iframe and put the form in the parent page, directly.  The CFC still does not see the same session variables that the parent page sees.

[banging head repeatedly on desk]

V/r,

^_^

UPDATE:  This might be because CFAdmin is set for HTTPonly cookies.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 21, 2015 0
Participant ,
Sep 21, 2015

Copy link to clipboard

Copied

Wolfshade, if you see a different JSESSIONID every time you reload a page, that is the problem right there. JSESSIONID (a cookie) and its counterpart SESSIONID (a session var) are not supposed to reset each page load. On my servers, cookies are set with HTTPOnly, but not Secure.

I was interested in this thread because I did a lot of work creating a user security model based on SESSION vars, with the only cookie being JSESSIONID.

What is the value for sessiontimeout in your application.cfc, and in the CF Admin? If either is 0, that would force the JSESSIONID to reset each page.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 21, 2015 0
Engaged ,
Sep 21, 2015

Copy link to clipboard

Copied

‌IFRAME runs with lower privilege in IE. Try setting a P3P header in the template loaded into the frame:

<cfheader name="P3P" value="CP='CURa ADMa DEVa CONo HISa OUR IND DSP ALL COR'">

We use FRAMESET, not IFRAMEs. I wonder if that could be it? This P3P issue only affects Internet Explorer.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 21, 2015 0
Engaged ,
Sep 16, 2015

Copy link to clipboard

Copied

We had this issue a few months back with an older <frame> based application. The only thing that solved it was setting setdomaincookies to "true" in application.cfc/cfm and then clearing all browser cookies and trying to load the application again. FireFox would be fine, but IE and Chrome refused to work.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 16, 2015 0
LEGEND ,
Sep 16, 2015

Copy link to clipboard

Copied

tribule wrote:

FireFox would be fine, but IE and Chrome refused to work.

That won't fly, here.. IE is the internal browser default.  (  Did you ever get it fixed for all browsers?

^_^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 16, 2015 0
Engaged ,
Sep 16, 2015

Copy link to clipboard

Copied

Yes, enabling setdomaincookies was the solution in our case. Have you tried adding it? We were on an old legacy app, with application.cfm so our cfapplication tag looked like this:

<cfapplication name="testApp"

               clientmanagement="true"

               sessionmanagement="true"

               sessiontimeout="#CreateTimeSpan(0,0,60,0)#"

               setclientcookies="true"

               setdomaincookies="true">

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 16, 2015 0
LEGEND ,
Sep 22, 2015

Copy link to clipboard

Copied

Is there a chance that there might be a JkEnvVar in mod_jk.conf that should be set?  Just checking.  Our former SA thought of it.

V/r,

^_^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 22, 2015 0