Cookies and frames

[rolf.matreskova]

Hi, should cookies work when referring to an 'external' site in a
frame?

Here is the situation: http://mysite.com/page1.html contains a frame
to http://othersite.com/otherpage1.html. When I navigate in the frame
from otherpage1.html to http://othersite.com/otherpage2.html the server
returns a cookie for the browser to set. But it appears that the
cookie is not sent back to othersite.com when navigating from
otherpage2.html.

All of this happens in a frame within http://mysite.com/page1.html .

I have looked at the http headers and it appears that the only field
which is added compared to navigating othersite.com outside a frame
is the Referer header which points to mysite.com/page1.html.

Does the Referer header prevent the cookie from being sent back
to othersite.com ?

This is all using IE7.

Cheers

 

[Evertjan.]

wrote on 02 dec 2006 in comp.lang.javascript:

Hi, should cookies work when referring to an 'external' site in a
frame?

Here is the situation: http://mysite.com/page1.html contains a frame
to http://othersite.com/otherpage1.html. When I navigate in the frame
from otherpage1.html to http://othersite.com/otherpage2.html the server
returns a cookie for the browser to set. But it appears that the
cookie is not sent back to othersite.com when navigating from
otherpage2.html.

All of this happens in a frame within http://mysite.com/page1.html .

Cookies are never sent [by the browser in a header] to another domain.

It would be a severe security risk if it did.

It could give away your session-variable of a server or a password stored
for a site.

The frame dependency should not have anything to do with it.

I have looked at the http headers and it appears that the only field
which is added compared to navigating othersite.com outside a frame
is the Referer header which points to mysite.com/page1.html.

Does the Referer header prevent the cookie from being sent back
to othersite.com ?

No, the referrer header has nothing to do with it [exept sometimes showing
the domain requested by the browser], because that is what is sent too.

This is all using IE7.

All browser have or should have this cookie security.

 

[rolf.matreskova]

Cookies are never sent [by the browser in a header] to another domain.

Evertjan,

Thanks, but just to make it clear, the cookie here is set by the same
domain it is meant to be sent back to, there is no "cross-domain
cookie" attempt. What I'm experiencing is that navigating within one
domain in a single frame simply does not work because the cookie is not
sent back to the very same domain that sent it.

Cheers

 

[Evertjan.]

wrote on 02 dec 2006 in comp.lang.javascript:

Cookies are never sent [by the browser in a header] to another domain.

Evertjan,

Thanks, but just to make it clear, the cookie here is set by the same
domain it is meant to be sent back to, there is no "cross-domain
cookie" attempt. What I'm experiencing is that navigating within one
domain in a single frame simply does not work because the cookie is not
sent back to the very same domain that sent it.

Did you set the cookie domain property properly?

document.cookie = 'myCookie=' + cookieString + '; domain=myDomain.com;';

 

[rolf.matreskova]

Did you set the cookie domain property properly?

document.cookie = 'myCookie=' + cookieString + '; domain=myDomain.com;';

The thing is that I'm not even trying to set the cookie myself, the
domain sets it for me in the response, but it is not sent back to that
same domain when I navigate to another page. This happens when
navigation occurs in a frame whereas it works just fine if I'm
accessing the domain directly and not from a page of mine in a frame.

Rolf

 

[Evertjan.]

wrote on 02 dec 2006 in comp.lang.javascript:

The thing is that I'm not even trying to set the cookie myself, the
domain sets it for me in the response,

You mean in serverside code? [see below]. The server should only do what
you instruct it to do!

but it is not sent back to that
same domain when I navigate to another page. This happens when
navigation occurs in a frame whereas it works just fine if I'm
accessing the domain directly and not from a page of mine in a frame.

Also a cookie set by serverside code could have a wrong subdomain or
whatever. [It is said that a domain could be shared by different servers,
and that would give a cookie issue]

You could start by debugging by setting up a test page with cookies you set
yourself. Using a serverside cookie setter makes this much easier, like in
ASP-JS: response.cookie() and request.cookie()

I never had this problem, bu then I do not use frames in that way.

 

[rolf.matreskova]

Here is the real world case (on a test flickr account I created).

The URL in question is http://www.flickr.com/gp/56651581@N00/5oZhLf
When you navigate to it in a browser the server sets a cookie in the
response and asks the browser to redirect the page to another page.
This works fine.

However when you try to host the page in a frame exactly like this:

<HTML>
<FRAMESET>
<FRAME SCROLLING="auto"
SRC="http://www.flickr.com/gp/56651581@N00/5oZhLf">
</FRAMESET>
</HTML>

You end up on the flickr logon page, because apparently the cookie is
not sent back by the browser upon redirection.

Is there any issue with what I'm trying to achieve here ?