#SESSION# variables and iFrame

LEGEND ,
Sep 10, 2015 Sep 10, 2015

Copy link to clipboard

Copied

Hello, all,

I've got a page that contains an iFrame.  When loading the parent via HTTP, the page loading in the iframe via HTTP can see session variables with no problem.

However, when I load that same parent page HTTPS _and_ the iFrame via HTTPS, the iFrame src page does NOT see session variables set in the parent page.

Both are loading HTTPS, both same domain, same port.

Parent: https://www.domain.com/dbw/tt/index.cfm

iFrame: https://www.domain.com/dbw/tt/contactus.cfm

I'll check CFID and CFTOKEN on both, but I suspect they are the same.  UPDATE:  I can confirm that in my DEV environment, CFID and CFTOKEN are the same for both parent page and iFrame page.

What could be causing this?

V/r,

^_^

Views

2.3K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Participant ,
Sep 21, 2015 Sep 21, 2015

Copy link to clipboard

Copied

Wolfshade, if you see a different JSESSIONID every time you reload a page, that is the problem right there. JSESSIONID (a cookie) and its counterpart SESSIONID (a session var) are not supposed to reset each page load. On my servers, cookies are set with HTTPOnly, but not Secure.

I was interested in this thread because I did a lot of work creating a user security model based on SESSION vars, with the only cookie being JSESSIONID.

What is the value for sessiontimeout in your application.cfc, and in the CF Admin? If either is 0, that would force the JSESSIONID to reset each page.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Sep 22, 2015 Sep 22, 2015

Copy link to clipboard

Copied

mkane1 wrote:

On my servers, cookies are set with HTTPOnly, but not Secure.

We are not set for secure cookies, either.

mkane1 wrote:

If either is 0, that would force the JSESSIONID to reset each page.

Session timeout is set for 20 minutes.

V/r,

^_^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Enthusiast ,
Sep 21, 2015 Sep 21, 2015

Copy link to clipboard

Copied

‌IFRAME runs with lower privilege in IE. Try setting a P3P header in the template loaded into the frame:

<cfheader name="P3P" value="CP='CURa ADMa DEVa CONo HISa OUR IND DSP ALL COR'">

We use FRAMESET, not IFRAMEs. I wonder if that could be it? This P3P issue only affects Internet Explorer.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Sep 22, 2015 Sep 22, 2015

Copy link to clipboard

Copied

This is happening in all tested browsers (IE9, IE10, IE11, FireFox, Chrome.)

And while I'm not thrilled about using iframe, I would only use frameset if a gun were held to my head.  (No offense; I know some people like frameset - I am not one of them.)

V/r,

^_^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Enthusiast ,
Sep 22, 2015 Sep 22, 2015

Copy link to clipboard

Copied

Frameset works fine in many cases; I use it on a few sites that have run on large ecommerce sites for 10+ years over multiple CF versions, and no issues whatsoever.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Sep 22, 2015 Sep 22, 2015

Copy link to clipboard

Copied

tribule wrote:

Frameset works fine in many cases; I use it on a few sites that have run on large ecommerce sites for 10+ years over multiple CF versions, and no issues whatsoever.

I can appreciate that some developers either like or don't mind framesets.  Purely subjective.  I will never use framesets unless the client is forcing me to.  And I will do so under protest.

V/r,

^_^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Sep 21, 2015 Sep 21, 2015

Copy link to clipboard

Copied

WolfShade wrote:

We are getting a different JSESSIONID with every page load.  If I display the JSESSIONID on a page, and refresh it over and over and over, each page load gives a different JSESSIONID.

EDIT:  I had read, somewhere, that this is supposed to happen - it's a security feature; changing the sessionid is supposed to suppress certain attacks.  HOWEVER, the information of the old JSESSIONID is supposed to be copied to the new JSESSIONID.  I think that's not happening, here.

As I suggested earlier, the likely reason for the requests from the iFrame to be creating new sessions each time is that such requests don't start within the application.  There is therefore no basis for a session to be maintained from one page to the next.


session.mAnswer is present in parent page; iframe does not see it, nor does the CFC.

The crux of the matter. I suspect that iFrame and CFC do have a session, but that it is different from the session that contains mAnswer.

Could you show us the code?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Sep 22, 2015 Sep 22, 2015

Copy link to clipboard

Copied

BKBK wrote:

Could you show us the code?

I can try to get some pseudo-code posted, here.  Dev network is isolated from internet, and there's a lot of code.

I'll whip something up and post it here, soon.

Thank you!

V/r,

^_^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Participant ,
Sep 22, 2015 Sep 22, 2015

Copy link to clipboard

Copied

Wolfshade, earlier you wrote "If I display the JSESSIONID on a page, and refresh it over and over and over, each page load gives a different JSESSIONID".

If that is true, then iframes and CFCs are completely irrelevant. The value for JSESSIONID should not be changing like that.

I suggest you create a simple page in your app's folder that does nothing at all except show the values for COOKIE.JSESSIONID and SESSION.SESSIONID. If those values don't match, or either one changes when you refresh the page, that is the issue that needs to be addressed.

I would then create a new folder, with its own application.cfc/cfm that does nothing except initialize the application name (start with something completely new on that server), enables SESSIONMANAGEMENT with at least 20 minute timeout, and setdomaincookies=true. Then create a simple page in that folder that shows the values for COOKIE.JSESSIONID and SESSION.SESSIONID.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Sep 22, 2015 Sep 22, 2015

Copy link to clipboard

Copied

BKBK wrote:

Could you show us the code?

Here is some pseudo-code.

I took the iframe out of the equation, and am putting the form directly in index.cfm:

index.cfm:

<cfset variables.mQuestion = "What is two times two?" />

<cfset session.mAnswer = 4 />

     ...

<form name="subPro" id="subPro" enctype="application/x-www-form-urlencoded" class="dbw">

     ...

    <cfoutput>

        In an effort to cut down on bots, please answer the following question using numbers only:

        <br />#variables.mQuestion#:

        <input name="userInput" id="userInput" maxlength="2" class="userInput" value="" />

        <input type="button" name="submitBtn" id="submitBtn" value="  Submit  " onclick="return validateData(this.form.id);" />

    </cfoutput>

</form>

<script type="text/javascript">

   function validateData(formObjId){

    var formObj = document.forms[formObjId], postURL = "components/dbw.cfc?method=contactus";

    ... // I am doing _some_ client-side validation, here; there is more on server-side.

    postData = $('#' + formObjId).serializeArray();

    $.ajax({

        type: "POST",

        url: postURL,

        data: postData

        }).done(function(data){

            $('#dispResp').html(data);

            });

    }

</script>

dbw.cfc:

<cffunction access="remote" name="contactus" output="yes" returntype="any">

    <cfscript>

    returnResult = "";

    // server-side form validation, here

    if(val(session.mAnswer) neq val(form.userInput)){

        returnResult &= "Math answer does not match.<br />";

        }

    if(len(trim(returnResult))){

        returnResult = "Please correct the following:<br />" & returnResult;

        }

    </cfscript>

    <cfswitch expression="#len(trim(returnResult))#">

        <cfcase value="0">

            <!---

            Display message that all worked out great, thank user.

            --->

        </cfcase>

        <cfdefaultcase>

            #returnResult#

        </cfdefaultcase>

    </cfswitch>

</cffunction>

V/r,

^_^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Sep 21, 2015 Sep 21, 2015

Copy link to clipboard

Copied

WolfShade wrote:


However, I've got J2EE enabled, setDomainCookies to true (in Application.cfc), and cookies set for HTTPonly.  Now, the .cfcs that process form data via AJaX are throwing the same session error messages - 'mAnswer not defined in session'.

You might have stumbled by chance - luckily, perhaps - on a design issue you have to solve. The error message suggests that the CFC uses session variables. However, it also appears that the CFC is available to clients via an AJAX URL call.

Such a call is from "outside" the application, and may be made by anyone. Whereas, a session variable is within the context of the application, hence on the "inside". To improve your design, in general, ensure that a CFC that is accessible from the outside does not involve session variables.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Participant ,
Sep 21, 2015 Sep 21, 2015

Copy link to clipboard

Copied

BKBK wrote:

WolfShade wrote:


However, I've got J2EE enabled, setDomainCookies to true (in Application.cfc), and cookies set for HTTPonly.  Now, the .cfcs that process form data via AJaX are throwing the same session error messages - 'mAnswer not defined in session'.

You might have stumbled by chance - luckily, perhaps - on a design issue you have to solve. The error message suggests that the CFC uses session variables. However, it also appears that the CFC is available to clients via an AJAX URL call.

Such a call is from "outside" the application, and may be made by anyone. Whereas, a session variable is within the context of the application, hence on the "inside". To improve your design, in general, ensure that a CFC that is accessible from the outside does not involve session variables.

BKBK‌‌, if you are suggesting that the application pages should work with SESSION vars etc. and send pertinent details to CFCs as arguments, I would agree with that. Not sure about the inside/outside references.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Sep 21, 2015 Sep 21, 2015

Copy link to clipboard

Copied

mkane1 wrote:

BKBK, if you are suggesting that the application pages should work with SESSION vars etc. and send pertinent details to CFCs as arguments, I would agree with that. Not sure about the inside/outside references.

Hi, I am not talking about application pages working with session variables and sending data to CFCs as arguments, though that is a valid point. I really mean "inside" and "outside".

A CFC is a service inside an application. If you want it to be accessible by a client from outside the application, you should - as a general rule - avoid using session-scoped variables within the CFC.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Enthusiast ,
Sep 16, 2015 Sep 16, 2015

Copy link to clipboard

Copied

We had this issue a few months back with an older <frame> based application. The only thing that solved it was setting setdomaincookies to "true" in application.cfc/cfm and then clearing all browser cookies and trying to load the application again. FireFox would be fine, but IE and Chrome refused to work.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Sep 16, 2015 Sep 16, 2015

Copy link to clipboard

Copied

tribule wrote:

FireFox would be fine, but IE and Chrome refused to work.

That won't fly, here.. IE is the internal browser default.  (  Did you ever get it fixed for all browsers?

^_^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Enthusiast ,
Sep 16, 2015 Sep 16, 2015

Copy link to clipboard

Copied

Yes, enabling setdomaincookies was the solution in our case. Have you tried adding it? We were on an old legacy app, with application.cfm so our cfapplication tag looked like this:

<cfapplication name="testApp"

               clientmanagement="true"

               sessionmanagement="true"

               sessiontimeout="#CreateTimeSpan(0,0,60,0)#"

               setclientcookies="true"

               setdomaincookies="true">

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Sep 22, 2015 Sep 22, 2015

Copy link to clipboard

Copied

LATEST

Is there a chance that there might be a JkEnvVar in mod_jk.conf that should be set?  Just checking.  Our former SA thought of it.

V/r,

^_^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines