• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

#SESSION# variables and iFrame

LEGEND ,
Sep 10, 2015 Sep 10, 2015

Copy link to clipboard

Copied

Hello, all,

I've got a page that contains an iFrame.  When loading the parent via HTTP, the page loading in the iframe via HTTP can see session variables with no problem.

However, when I load that same parent page HTTPS _and_ the iFrame via HTTPS, the iFrame src page does NOT see session variables set in the parent page.

Both are loading HTTPS, both same domain, same port.

Parent: https://www.domain.com/dbw/tt/index.cfm

iFrame: https://www.domain.com/dbw/tt/contactus.cfm

I'll check CFID and CFTOKEN on both, but I suspect they are the same.  UPDATE:  I can confirm that in my DEV environment, CFID and CFTOKEN are the same for both parent page and iFrame page.

What could be causing this?

V/r,

^_^

Views

3.7K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Advocate ,
Sep 10, 2015 Sep 10, 2015

Copy link to clipboard

Copied

Are you using J2EE Sessions? Are you sure there is not elements on the page causing it not to load HTTPS fully? i.e. links to scripts / resources with http:// prefixes. Does this happen on all pages or just the ones you specified?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Sep 10, 2015 Sep 10, 2015

Copy link to clipboard

Copied

Currently, the only page where I am loading an iFrame is this one page.  All script/css links are "/script/blah.js" or "/style/page.css", so the protocol should be the same.

DEV environment is NOT using J2EE sessions.  I do not have access to CFAdmin in production/staging, but I'll ask.

V/r,

^_^

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Sep 10, 2015 Sep 10, 2015

Copy link to clipboard

Copied

I just got word from our SA.  Production is using J2EE memory variables.  Could this be causing the issue?  It appears as though (in the production environment) the iFrame .cfm file is getting different JSESSIONID variables.

V/r,

^_^

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Advocate ,
Sep 11, 2015 Sep 11, 2015

Copy link to clipboard

Copied

Do you have load balancers in front of your server? Are you also using the full URL for the iframe? https://... etc or just the relative page /dbw/tt/contactus.cfm?


Also where are your session variables being set? Are you doing something in the onSessionStart() ?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Sep 11, 2015 Sep 11, 2015

Copy link to clipboard

Copied

No load balancers.  Full URL (protocol, domain, and port match between parent and iframe src.)  Session variables are being set in the parent page.  They are for a kind of CAPTCHA.  Basically, the parent page runs a component function that randomly selects a word math equation and a corresponding numeric answer, saves them to the session scope, and the processing page matches the user input to the session saved answer; if they don't match, display an error message; otherwise, process the form data.  It's part of a two-pronged defense, the other part being a honeypot.

One thing I did notice was that if I dump the session for both parent and iframe, CFID and CFTOKEN match, but JSESSIONID changes for both on every page load.

Also, this _was_ working in DEV.  Then I set J2EE to enabled in DEV, and I'm getting the exact same error message, now, that a variable doesn't exist in the session scope.  Turn J2EE off, and it works just fine.

V/r,

^_^

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Advocate ,
Sep 11, 2015 Sep 11, 2015

Copy link to clipboard

Copied

Do you run a cluster of any kind?

I setup a test to set session vars across iframes with j2ee both enabled and disabled and I got it to work fine each time.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Sep 11, 2015 Sep 11, 2015

Copy link to clipboard

Copied

No clusters.  The only thing that comes close is fail-over, and we have only one server set as primary, and it hasn't been failing through any of this.

Here's a question.  If a page is located at https://www.domain.com/index.cfm and contains <script src="/js/form.js"></script>, the /js/form.js is going through https, is it not?

V/r,

^_^

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Participant ,
Sep 15, 2015 Sep 15, 2015

Copy link to clipboard

Copied

I replied to your other thread on this topic before seeing this one. Oops.

I set up a test on my dev CF10 server with J2EE enabled, the iframed cfm file has no problem seeing SESSION vars set in the parent.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Sep 15, 2015 Sep 15, 2015

Copy link to clipboard

Copied

Going through HTTPS?

V/r,

^_^

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Participant ,
Sep 15, 2015 Sep 15, 2015

Copy link to clipboard

Copied

Yes, I tested every variation of HTTP and HTTPS in the browser address bar and in the IFRAME tag. The iframed cfm was always able to output the SESSION var set in the parent file.

Do you have the "Use UUID for cftoken" box checked in the main CF Admin Settings page? My server does have that option checked. I didn't want to test unchecking it because other developers are working on the same server.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Sep 16, 2015 Sep 16, 2015

Copy link to clipboard

Copied

mkane1‌, I have asked our SA about that (I do not have access to CFAdmin in production environments.)

As far as our dev environment, J2EE is off (currently; if we can fix this, I'll turn it on); Application and Session variables are enabled; cookies are HTTP only; Secure Cookie is disabled; updating CF internal cookies using CF tags/functions is allowed; UUID for cftoken is NOT checked.

V/r,

^_^

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Participant ,
Sep 16, 2015 Sep 16, 2015

Copy link to clipboard

Copied

Seems to me no need to worry about the production environment yet, you said that in your DEV server simply turning J2EE on or off caused or fixed the underlying problem. You could try enabling the UUID option. I doubt that is the problem, but it shouldn't hurt to try. I would think that enabling J2EE is necessary.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Sep 16, 2015 Sep 16, 2015

Copy link to clipboard

Copied

mkane1 wrote:

I would think that enabling J2EE is necessary.

Me, too, which is why I'm so worried about it.

I wound up putting the iframe contents back on the same page that contained the iframe, which works, but doesn't help me understand what is "broken" about our production environment.

^_^

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Sep 17, 2015 Sep 17, 2015

Copy link to clipboard

Copied

I just got word from our SA - yes, "Use UUID for cftoken" is checked.

tribule‌, you had mentioned that, but you followed that with "FireFox would be fine, but IE and Chrome refused to work."  I assumed that was _after_ setting setdomaincookies to true.

V/r,

^_^

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Enthusiast ,
Sep 17, 2015 Sep 17, 2015

Copy link to clipboard

Copied

What I meant was this: in FireFox the frameset worked fine and kept the session (i.e. without setDomainCookies added). In IE and Chrome, the session was not kept and I got fatal errors (session does exist etc). After setting setDomainCookies to true, all browsers then worked fine. Hope that clarifies it. It seems to be a browser issue as much as a CF issue, since otherwise why did FireFox work fine? Enabling UUID for token and JSESSION id's did not solve our issue either, only setDomainCookies did. Strange, but true, and we are also using one domain everywhere.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Sep 18, 2015 Sep 18, 2015

Copy link to clipboard

Copied

Understood, now. 

However, I've got J2EE enabled, setDomainCookies to true (in Application.cfc), and cookies set for HTTPonly.  Now, the .cfcs that process form data via AJaX are throwing the same session error messages - 'mAnswer not defined in session'.

WTF..

V/r,

^_^

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Enthusiast ,
Sep 18, 2015 Sep 18, 2015

Copy link to clipboard

Copied

I wonder if the server is patched and is installed correctly (old connector remnants perhaps)? Does your application work if you use FireFox? Also, did the frame retain the session with setDomainCookies set to true, or is that still an issue? Did you clear all cookies from your browser? I had to remove all cookies before it worked for me.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Sep 21, 2015 Sep 21, 2015

Copy link to clipboard

Copied

Hi, tribule‌,

So far, all testing producing errors has been in dev.  I just now pushed to staging, tested, and it worked, so I had our SA log on to the CFAdmin, and the J2EE was _NOT_ set.

As soon as he enabled it and restarted the CF service, BANG, the iframe document is not seeing the session variables set in the parent page.

I can only guess that since JSESSIONID is different for every page load (a supposed security feature), then the iframe document loads with a different JSESSIONID, so session variables are essentially worthless, in that case.

But, then, how to explain that you are NOT having the same issues?

The CFC does have a session variable conditional -- if (val(userInput) neq val(session.mAnswer)) { fail }.  This is part of my "captcha" used for preventing automated submission.  How can I get the session variable to the CFC??

V/r,

^_^

PS.  I used FF, IE, and Chrome.  I removed all cookies and cleared the cache (EVERYTHING).  setDomainCookies is set to true in the very beginning of application.cfc. 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Sep 21, 2015 Sep 21, 2015

Copy link to clipboard

Copied

It just occurred to me.  I work for US DoD.  It is likely that the issue isn't JUST J2EE, but a combination of that and another security-related setting, possibly in CFAdmin, possibly proxy-related.

What do you think?

V/r,

^_^

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Participant ,
Sep 21, 2015 Sep 21, 2015

Copy link to clipboard

Copied

Wolfshade, have you tried a simple test, no CFCs, very little code at all? I suggest creating a new folder, with only 3 files:

  1. application.cfc or cfm, with only code to create the application, enable SESSION management, and SetDomainCookies = true
  2. parent cfm, sets a SESSION var and creates the Iframe
  3. iframed cfm that checks if the SESSION var is defined and either displays it or "not defined".

That should help.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Sep 21, 2015 Sep 21, 2015

Copy link to clipboard

Copied

I did something similiar, and used CFDUMP in both parent document and iframe document.  The sessions did NOT match.

V/r,

^_^

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Enthusiast ,
Sep 21, 2015 Sep 21, 2015

Copy link to clipboard

Copied

Hi. Our JSESSIONID stays the same on every page, so different behaviour to yours again. Do you check for existence of the session.mAnswer variable before referring to it btw? BKBK asked the same thing. I expect you do, but it should be checked.

If your frames all have different JSESSIONID's then you would have a problem. I create my session variable upon a successful user login and then cflocation to a new page where the frameset is loaded. Your code logic may be different. Perhaps the DOD environment is the cause. I think you need to experiment with some different code examples, using frames and sessions, to see what results you get and see each frame can maintain the session. Very tough ones to solve these cookie/session issues.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Sep 21, 2015 Sep 21, 2015

Copy link to clipboard

Copied

We are getting a different JSESSIONID with every page load.  If I display the JSESSIONID on a page, and refresh it over and over and over, each page load gives a different JSESSIONID.

EDIT:  I had read, somewhere, that this is supposed to happen - it's a security feature; changing the sessionid is supposed to suppress certain attacks.  HOWEVER, the information of the old JSESSIONID is supposed to be copied to the new JSESSIONID.  I think that's not happening, here.

session.mAnswer is present in parent page; iframe does not see it, nor does the CFC.

There is no login for this.  This is going to be the new public facing page.

V/r,

^_^

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Sep 21, 2015 Sep 21, 2015

Copy link to clipboard

Copied

I removed the iframe and put the form in the parent page, directly.  The CFC still does not see the same session variables that the parent page sees.

[banging head repeatedly on desk]

V/r,

^_^

UPDATE:  This might be because CFAdmin is set for HTTPonly cookies.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation