View Full Version : Cookies in Iframes
12-23-2009, 01:50 PM
I've embedded a third party Storefront (my account) with Iframes.....and it works fine except that when I go to checkout ...my browser requires I lower the cookie security from medium to low...which is not an acceptable request for visitors.
When I go directly to the storefront page (no embedded iframe) it works fine. I am assuming my page that is doing the iframe does not have a necessary validation (I'm only skilled enough in coding to be dangerous, so I'm not sure).
Is there a work around for this?
Here's the pages if anyone wanted to look at the specifics.
The embedded store: http://www.glidegear.com/shopglidegear.html
The plain storefront, no embedding with iframe store.glidegear.com
12-23-2009, 06:46 PM
I think the problem has to do with how cookie permissions work:
Cookies cannot be accessed on different domains. Subdomains work like this: store.glidegear.com and www.glidegear.com are actually considered different websites to cookies.
So if you use a subdirectory, instead of subdomain, like www.glidegear.com/store, for the store, then you can make this work.
Cookies can also be limited by directory; they are available based on how they are initially set. So set them with the broadest permissions possible from the most basic location possible (hopefully either www.yoursite.com or just yoursite.com-- remember, www. is a subdomain too).
There is no trick to get around this; you must redesign your site.
Some potential solutions without changing the subdomain structure are:
1. Use some sort of serverside method to skip using cookies, like storing it in a database; in the iframe they setup their cart and get ready to check out. Then they go to the checkout on the main part and they have to log in again (setting a new cookie), and then they get their cart forwarded to them after being stored on the server. This would be messy but could work.
There may be more ways to try to get around it, but there will be no way to bypass cookie security. By making the security setting lower, you are basically ignoring how cookies actually work, and that won't work across browsers and certainly not for users who don't want to have lowered security.
I'd like to see cookies that are allowed to be accessed by a few domains (given the right permission), in the sense that then you could link them together. But of course that's just not how it works.
Powered by vBulletin® Version 4.2.0 Copyright © 2013 vBulletin Solutions, Inc. All rights reserved.