1 2 Previous Next 41 Replies Latest reply on Sep 22, 2015 8:56 AM by WolfShade

    #SESSION# variables and iFrame

    WolfShade Level 4

      Hello, all,

       

      I've got a page that contains an iFrame.  When loading the parent via HTTP, the page loading in the iframe via HTTP can see session variables with no problem.

       

      However, when I load that same parent page HTTPS _and_ the iFrame via HTTPS, the iFrame src page does NOT see session variables set in the parent page.

       

      Both are loading HTTPS, both same domain, same port.

      Parent: https://www.domain.com/dbw/tt/index.cfm

      iFrame: https://www.domain.com/dbw/tt/contactus.cfm

       

      I'll check CFID and CFTOKEN on both, but I suspect they are the same.  UPDATE:  I can confirm that in my DEV environment, CFID and CFTOKEN are the same for both parent page and iFrame page.

       

      What could be causing this?

       

      V/r,

       

      ^_^

        • 1. Re: #SESSION# variables and iFrame
          haxtbh Level 4

          Are you using J2EE Sessions? Are you sure there is not elements on the page causing it not to load HTTPS fully? i.e. links to scripts / resources with http:// prefixes. Does this happen on all pages or just the ones you specified?

          • 2. Re: #SESSION# variables and iFrame
            WolfShade Level 4

            Currently, the only page where I am loading an iFrame is this one page.  All script/css links are "/script/blah.js" or "/style/page.css", so the protocol should be the same.

             

            DEV environment is NOT using J2EE sessions.  I do not have access to CFAdmin in production/staging, but I'll ask.

             

            V/r,

             

            ^_^

            • 3. Re: #SESSION# variables and iFrame
              WolfShade Level 4

              I just got word from our SA.  Production is using J2EE memory variables.  Could this be causing the issue?  It appears as though (in the production environment) the iFrame .cfm file is getting different JSESSIONID variables.

               

              V/r,

               

              ^_^

              • 4. Re: #SESSION# variables and iFrame
                haxtbh Level 4

                Do you have load balancers in front of your server? Are you also using the full URL for the iframe? https://... etc or just the relative page /dbw/tt/contactus.cfm?


                Also where are your session variables being set? Are you doing something in the onSessionStart() ?

                • 5. Re: #SESSION# variables and iFrame
                  WolfShade Level 4

                  No load balancers.  Full URL (protocol, domain, and port match between parent and iframe src.)  Session variables are being set in the parent page.  They are for a kind of CAPTCHA.  Basically, the parent page runs a component function that randomly selects a word math equation and a corresponding numeric answer, saves them to the session scope, and the processing page matches the user input to the session saved answer; if they don't match, display an error message; otherwise, process the form data.  It's part of a two-pronged defense, the other part being a honeypot.

                   

                  One thing I did notice was that if I dump the session for both parent and iframe, CFID and CFTOKEN match, but JSESSIONID changes for both on every page load.

                   

                  Also, this _was_ working in DEV.  Then I set J2EE to enabled in DEV, and I'm getting the exact same error message, now, that a variable doesn't exist in the session scope.  Turn J2EE off, and it works just fine.

                   

                  V/r,

                   

                  ^_^

                  • 6. Re: #SESSION# variables and iFrame
                    haxtbh Level 4

                    Do you run a cluster of any kind?

                     

                    I setup a test to set session vars across iframes with j2ee both enabled and disabled and I got it to work fine each time.

                    • 7. Re: #SESSION# variables and iFrame
                      WolfShade Level 4

                      No clusters.  The only thing that comes close is fail-over, and we have only one server set as primary, and it hasn't been failing through any of this.

                       

                      Here's a question.  If a page is located at https://www.domain.com/index.cfm and contains <script src="/js/form.js"></script>, the /js/form.js is going through https, is it not?

                       

                      V/r,

                       

                      ^_^

                      • 8. Re: #SESSION# variables and iFrame
                        mkane1 Level 1

                        I replied to your other thread on this topic before seeing this one. Oops.

                         

                        I set up a test on my dev CF10 server with J2EE enabled, the iframed cfm file has no problem seeing SESSION vars set in the parent.

                        • 9. Re: #SESSION# variables and iFrame
                          WolfShade Level 4

                          Going through HTTPS?

                           

                          V/r,

                           

                          ^_^

                          • 10. Re: #SESSION# variables and iFrame
                            mkane1 Level 1

                            Yes, I tested every variation of HTTP and HTTPS in the browser address bar and in the IFRAME tag. The iframed cfm was always able to output the SESSION var set in the parent file.

                             

                            Do you have the "Use UUID for cftoken" box checked in the main CF Admin Settings page? My server does have that option checked. I didn't want to test unchecking it because other developers are working on the same server.

                            • 11. Re: #SESSION# variables and iFrame
                              WolfShade Level 4

                              mkane1, I have asked our SA about that (I do not have access to CFAdmin in production environments.)

                               

                              As far as our dev environment, J2EE is off (currently; if we can fix this, I'll turn it on); Application and Session variables are enabled; cookies are HTTP only; Secure Cookie is disabled; updating CF internal cookies using CF tags/functions is allowed; UUID for cftoken is NOT checked.

                               

                              V/r,

                               

                              ^_^

                              • 12. Re: #SESSION# variables and iFrame
                                mkane1 Level 1

                                Seems to me no need to worry about the production environment yet, you said that in your DEV server simply turning J2EE on or off caused or fixed the underlying problem. You could try enabling the UUID option. I doubt that is the problem, but it shouldn't hurt to try. I would think that enabling J2EE is necessary.

                                • 13. Re: #SESSION# variables and iFrame
                                  tribule Level 2

                                  We had this issue a few months back with an older <frame> based application. The only thing that solved it was setting setdomaincookies to "true" in application.cfc/cfm and then clearing all browser cookies and trying to load the application again. FireFox would be fine, but IE and Chrome refused to work.

                                  • 14. Re: #SESSION# variables and iFrame
                                    WolfShade Level 4

                                    mkane1 wrote:

                                    I would think that enabling J2EE is necessary.

                                    Me, too, which is why I'm so worried about it.

                                     

                                    I wound up putting the iframe contents back on the same page that contained the iframe, which works, but doesn't help me understand what is "broken" about our production environment.

                                     

                                    ^_^

                                    • 15. Re: #SESSION# variables and iFrame
                                      WolfShade Level 4

                                      tribule wrote:

                                       

                                      FireFox would be fine, but IE and Chrome refused to work.

                                      That won't fly, here.. IE is the internal browser default.  (  Did you ever get it fixed for all browsers?

                                       

                                      ^_^

                                      • 16. Re: #SESSION# variables and iFrame
                                        tribule Level 2

                                        Yes, enabling setdomaincookies was the solution in our case. Have you tried adding it? We were on an old legacy app, with application.cfm so our cfapplication tag looked like this:

                                         

                                        <cfapplication name="testApp"

                                                       clientmanagement="true"

                                                       sessionmanagement="true"

                                                       sessiontimeout="#CreateTimeSpan(0,0,60,0)#"

                                                       setclientcookies="true"

                                                       setdomaincookies="true">

                                        • 17. Re: #SESSION# variables and iFrame
                                          WolfShade Level 4

                                          I just got word from our SA - yes, "Use UUID for cftoken" is checked.

                                           

                                          tribule, you had mentioned that, but you followed that with "FireFox would be fine, but IE and Chrome refused to work."  I assumed that was _after_ setting setdomaincookies to true.

                                           

                                          V/r,

                                           

                                          ^_^

                                          • 18. Re: #SESSION# variables and iFrame
                                            tribule Level 2

                                            What I meant was this: in FireFox the frameset worked fine and kept the session (i.e. without setDomainCookies added). In IE and Chrome, the session was not kept and I got fatal errors (session does exist etc). After setting setDomainCookies to true, all browsers then worked fine. Hope that clarifies it. It seems to be a browser issue as much as a CF issue, since otherwise why did FireFox work fine? Enabling UUID for token and JSESSION id's did not solve our issue either, only setDomainCookies did. Strange, but true, and we are also using one domain everywhere.

                                            • 19. Re: #SESSION# variables and iFrame
                                              WolfShade Level 4

                                              Understood, now. 

                                               

                                              However, I've got J2EE enabled, setDomainCookies to true (in Application.cfc), and cookies set for HTTPonly.  Now, the .cfcs that process form data via AJaX are throwing the same session error messages - 'mAnswer not defined in session'.

                                               

                                              WTF..

                                               

                                              V/r,

                                               

                                              ^_^

                                              • 20. Re: #SESSION# variables and iFrame
                                                tribule Level 2

                                                I wonder if the server is patched and is installed correctly (old connector remnants perhaps)? Does your application work if you use FireFox? Also, did the frame retain the session with setDomainCookies set to true, or is that still an issue? Did you clear all cookies from your browser? I had to remove all cookies before it worked for me.

                                                • 21. Re: #SESSION# variables and iFrame
                                                  BKBK Adobe Community Professional & MVP

                                                  WolfShade wrote:


                                                  However, I've got J2EE enabled, setDomainCookies to true (in Application.cfc), and cookies set for HTTPonly.  Now, the .cfcs that process form data via AJaX are throwing the same session error messages - 'mAnswer not defined in session'.

                                                  You might have stumbled by chance - luckily, perhaps - on a design issue you have to solve. The error message suggests that the CFC uses session variables. However, it also appears that the CFC is available to clients via an AJAX URL call.

                                                   

                                                  Such a call is from "outside" the application, and may be made by anyone. Whereas, a session variable is within the context of the application, hence on the "inside". To improve your design, in general, ensure that a CFC that is accessible from the outside does not involve session variables.

                                                  • 22. Re: #SESSION# variables and iFrame
                                                    WolfShade Level 4

                                                    Hi, tribule,

                                                     

                                                    So far, all testing producing errors has been in dev.  I just now pushed to staging, tested, and it worked, so I had our SA log on to the CFAdmin, and the J2EE was _NOT_ set.

                                                     

                                                    As soon as he enabled it and restarted the CF service, BANG, the iframe document is not seeing the session variables set in the parent page.

                                                     

                                                    I can only guess that since JSESSIONID is different for every page load (a supposed security feature), then the iframe document loads with a different JSESSIONID, so session variables are essentially worthless, in that case.

                                                     

                                                    But, then, how to explain that you are NOT having the same issues?

                                                     

                                                    The CFC does have a session variable conditional -- if (val(userInput) neq val(session.mAnswer)) { fail }.  This is part of my "captcha" used for preventing automated submission.  How can I get the session variable to the CFC??

                                                     

                                                    V/r,

                                                     

                                                    ^_^

                                                     

                                                    PS.  I used FF, IE, and Chrome.  I removed all cookies and cleared the cache (EVERYTHING).  setDomainCookies is set to true in the very beginning of application.cfc. 

                                                    • 23. Re: #SESSION# variables and iFrame
                                                      WolfShade Level 4

                                                      It just occurred to me.  I work for US DoD.  It is likely that the issue isn't JUST J2EE, but a combination of that and another security-related setting, possibly in CFAdmin, possibly proxy-related.

                                                       

                                                      What do you think?

                                                       

                                                      V/r,

                                                       

                                                      ^_^

                                                      • 24. Re: #SESSION# variables and iFrame
                                                        mkane1 Level 1

                                                        Wolfshade, have you tried a simple test, no CFCs, very little code at all? I suggest creating a new folder, with only 3 files:

                                                        1. application.cfc or cfm, with only code to create the application, enable SESSION management, and SetDomainCookies = true
                                                        2. parent cfm, sets a SESSION var and creates the Iframe
                                                        3. iframed cfm that checks if the SESSION var is defined and either displays it or "not defined".

                                                         

                                                        That should help.

                                                        • 25. Re: #SESSION# variables and iFrame
                                                          mkane1 Level 1

                                                          BKBK wrote:

                                                           

                                                          WolfShade wrote:


                                                          However, I've got J2EE enabled, setDomainCookies to true (in Application.cfc), and cookies set for HTTPonly.  Now, the .cfcs that process form data via AJaX are throwing the same session error messages - 'mAnswer not defined in session'.

                                                          You might have stumbled by chance - luckily, perhaps - on a design issue you have to solve. The error message suggests that the CFC uses session variables. However, it also appears that the CFC is available to clients via an AJAX URL call.

                                                           

                                                          Such a call is from "outside" the application, and may be made by anyone. Whereas, a session variable is within the context of the application, hence on the "inside". To improve your design, in general, ensure that a CFC that is accessible from the outside does not involve session variables.

                                                          BKBK, if you are suggesting that the application pages should work with SESSION vars etc. and send pertinent details to CFCs as arguments, I would agree with that. Not sure about the inside/outside references.

                                                          • 26. Re: #SESSION# variables and iFrame
                                                            tribule Level 2

                                                            Hi. Our JSESSIONID stays the same on every page, so different behaviour to yours again. Do you check for existence of the session.mAnswer variable before referring to it btw? BKBK asked the same thing. I expect you do, but it should be checked.

                                                             

                                                            If your frames all have different JSESSIONID's then you would have a problem. I create my session variable upon a successful user login and then cflocation to a new page where the frameset is loaded. Your code logic may be different. Perhaps the DOD environment is the cause. I think you need to experiment with some different code examples, using frames and sessions, to see what results you get and see each frame can maintain the session. Very tough ones to solve these cookie/session issues.

                                                            • 27. Re: #SESSION# variables and iFrame
                                                              WolfShade Level 4

                                                              I did something similiar, and used CFDUMP in both parent document and iframe document.  The sessions did NOT match.

                                                               

                                                              V/r,

                                                               

                                                              ^_^

                                                              • 28. Re: #SESSION# variables and iFrame
                                                                WolfShade Level 4

                                                                We are getting a different JSESSIONID with every page load.  If I display the JSESSIONID on a page, and refresh it over and over and over, each page load gives a different JSESSIONID.

                                                                EDIT:  I had read, somewhere, that this is supposed to happen - it's a security feature; changing the sessionid is supposed to suppress certain attacks.  HOWEVER, the information of the old JSESSIONID is supposed to be copied to the new JSESSIONID.  I think that's not happening, here.

                                                                 

                                                                session.mAnswer is present in parent page; iframe does not see it, nor does the CFC.

                                                                 

                                                                There is no login for this.  This is going to be the new public facing page.

                                                                 

                                                                V/r,

                                                                 

                                                                ^_^

                                                                • 29. Re: #SESSION# variables and iFrame
                                                                  WolfShade Level 4

                                                                  I removed the iframe and put the form in the parent page, directly.  The CFC still does not see the same session variables that the parent page sees.

                                                                   

                                                                  [banging head repeatedly on desk]

                                                                   

                                                                  V/r,

                                                                   

                                                                  ^_^

                                                                   

                                                                  UPDATE:  This might be because CFAdmin is set for HTTPonly cookies.

                                                                  • 30. Re: #SESSION# variables and iFrame
                                                                    mkane1 Level 1

                                                                    Wolfshade, if you see a different JSESSIONID every time you reload a page, that is the problem right there. JSESSIONID (a cookie) and its counterpart SESSIONID (a session var) are not supposed to reset each page load. On my servers, cookies are set with HTTPOnly, but not Secure.

                                                                     

                                                                    I was interested in this thread because I did a lot of work creating a user security model based on SESSION vars, with the only cookie being JSESSIONID.

                                                                     

                                                                    What is the value for sessiontimeout in your application.cfc, and in the CF Admin? If either is 0, that would force the JSESSIONID to reset each page.

                                                                    • 31. Re: #SESSION# variables and iFrame
                                                                      tribule Level 2

                                                                      IFRAME runs with lower privilege in IE. Try setting a P3P header in the template loaded into the frame:

                                                                       

                                                                      <cfheader name="P3P" value="CP='CURa ADMa DEVa CONo HISa OUR IND DSP ALL COR'">

                                                                       

                                                                      We use FRAMESET, not IFRAMEs. I wonder if that could be it? This P3P issue only affects Internet Explorer.

                                                                      • 32. Re: #SESSION# variables and iFrame
                                                                        BKBK Adobe Community Professional & MVP

                                                                        mkane1 wrote:

                                                                         

                                                                        BKBK, if you are suggesting that the application pages should work with SESSION vars etc. and send pertinent details to CFCs as arguments, I would agree with that. Not sure about the inside/outside references.

                                                                        Hi, I am not talking about application pages working with session variables and sending data to CFCs as arguments, though that is a valid point. I really mean "inside" and "outside".

                                                                         

                                                                        A CFC is a service inside an application. If you want it to be accessible by a client from outside the application, you should - as a general rule - avoid using session-scoped variables within the CFC.

                                                                        • 33. Re: #SESSION# variables and iFrame
                                                                          BKBK Adobe Community Professional & MVP

                                                                          WolfShade wrote:

                                                                           

                                                                          We are getting a different JSESSIONID with every page load.  If I display the JSESSIONID on a page, and refresh it over and over and over, each page load gives a different JSESSIONID.

                                                                          EDIT:  I had read, somewhere, that this is supposed to happen - it's a security feature; changing the sessionid is supposed to suppress certain attacks.  HOWEVER, the information of the old JSESSIONID is supposed to be copied to the new JSESSIONID.  I think that's not happening, here.

                                                                          As I suggested earlier, the likely reason for the requests from the iFrame to be creating new sessions each time is that such requests don't start within the application.  There is therefore no basis for a session to be maintained from one page to the next.

                                                                           


                                                                          session.mAnswer is present in parent page; iframe does not see it, nor does the CFC.

                                                                           

                                                                          The crux of the matter. I suspect that iFrame and CFC do have a session, but that it is different from the session that contains mAnswer.

                                                                           

                                                                          Could you show us the code?

                                                                          • 34. Re: #SESSION# variables and iFrame
                                                                            WolfShade Level 4

                                                                            mkane1 wrote:

                                                                             

                                                                            On my servers, cookies are set with HTTPOnly, but not Secure.

                                                                            We are not set for secure cookies, either.

                                                                             

                                                                            mkane1 wrote:

                                                                             

                                                                            If either is 0, that would force the JSESSIONID to reset each page.

                                                                            Session timeout is set for 20 minutes.

                                                                             

                                                                            V/r,

                                                                             

                                                                            ^_^

                                                                            • 35. Re: #SESSION# variables and iFrame
                                                                              WolfShade Level 4

                                                                              This is happening in all tested browsers (IE9, IE10, IE11, FireFox, Chrome.)

                                                                               

                                                                              And while I'm not thrilled about using iframe, I would only use frameset if a gun were held to my head.  (No offense; I know some people like frameset - I am not one of them.)

                                                                               

                                                                              V/r,

                                                                               

                                                                              ^_^

                                                                              • 36. Re: #SESSION# variables and iFrame
                                                                                WolfShade Level 4

                                                                                BKBK wrote:

                                                                                 

                                                                                Could you show us the code?

                                                                                I can try to get some pseudo-code posted, here.  Dev network is isolated from internet, and there's a lot of code.

                                                                                 

                                                                                I'll whip something up and post it here, soon.

                                                                                 

                                                                                Thank you!

                                                                                 

                                                                                V/r,

                                                                                 

                                                                                ^_^

                                                                                • 37. Re: #SESSION# variables and iFrame
                                                                                  tribule Level 2

                                                                                  Frameset works fine in many cases; I use it on a few sites that have run on large ecommerce sites for 10+ years over multiple CF versions, and no issues whatsoever.

                                                                                  • 38. Re: #SESSION# variables and iFrame
                                                                                    mkane1 Level 1

                                                                                    Wolfshade, earlier you wrote "If I display the JSESSIONID on a page, and refresh it over and over and over, each page load gives a different JSESSIONID".

                                                                                     

                                                                                    If that is true, then iframes and CFCs are completely irrelevant. The value for JSESSIONID should not be changing like that.

                                                                                     

                                                                                    I suggest you create a simple page in your app's folder that does nothing at all except show the values for COOKIE.JSESSIONID and SESSION.SESSIONID. If those values don't match, or either one changes when you refresh the page, that is the issue that needs to be addressed.

                                                                                     

                                                                                    I would then create a new folder, with its own application.cfc/cfm that does nothing except initialize the application name (start with something completely new on that server), enables SESSIONMANAGEMENT with at least 20 minute timeout, and setdomaincookies=true. Then create a simple page in that folder that shows the values for COOKIE.JSESSIONID and SESSION.SESSIONID.

                                                                                    • 39. Re: #SESSION# variables and iFrame
                                                                                      WolfShade Level 4

                                                                                      tribule wrote:

                                                                                       

                                                                                      Frameset works fine in many cases; I use it on a few sites that have run on large ecommerce sites for 10+ years over multiple CF versions, and no issues whatsoever.

                                                                                      I can appreciate that some developers either like or don't mind framesets.  Purely subjective.  I will never use framesets unless the client is forcing me to.  And I will do so under protest.

                                                                                       

                                                                                      V/r,

                                                                                       

                                                                                      ^_^

                                                                                      1 2 Previous Next