PHP solution to the problem of session loss caused by cross-domain iframe under IE_PHP tutorial

A login page I created today was embedded in an iframe by another website and I couldn't log in (this only happened in IE).

Obviously, the session cannot be saved. But when I open the login page directly in the address bar, everything is normal. How strange.

I searched online. I found that many people have mentioned this issue. The final solution is to add the following code to the login page:

Copy the code The code is as follows:

header('P3P: CP="ALL ADM DEV PSAi COM OUR OTRo STP IND ONL"');
session_start();

Maybe this problem is also related to my login page using JavaScript location jump. But there is no in-depth testing research.

The following is extended reading:

--------------------------------- ------------

When I was working on the Tencent Friends application today, the tester sent me a work order saying that the application cannot be used on IE7. A login timeout error occurred.

The first reaction was that the session was lost.

So I went online to search for the IE7 iframe session loss problem. Later I found the following article and solved the problem:

====== =======================================

Yesterday, I was in school The time diary I made above is finally online. On the first day of launch, more than 80 users installed it, but many users reported that the app was unavailable. I used to develop on Firefox (I guess the school staff also used Firefox for review). When I used IE7 to test, I found that all pages other than the homepage could not be opened normally.

I searched a lot of information on the Internet and found that there is such a problem in IE7: if there are one or more iframe subpages in the page, then the session creation in the subpage may not be successful, so the session data It cannot be shared with other pages. When developing on-campus and 51 applications, assuming that iframe is used, you are likely to encounter such a problem. And this problem only exists in IE7 browser. I have tested it in firefox, IE6 and chrome browsers and there is no problem.

The solution is: before running session_start, add the following sentence to the program (taking PHP language as an example), which roughly declares the security level to the browser, so that the iframe subpage will not There will be a problem:

header('P3P: CP="ALL ADM DEV PSAi COM OUR OTRo STP IND ONL"');

In addition, I also learned: If the second-level domain name Contains underscores, such as: your_domain.yourhost.com, problems may also occur when establishing and passing sessions.

Some thoughts:

1) After many years, the browser compatibility issue has still not been completely solved, and IE browser is still causing pain and torture to developers.
2) Before releasing an application, it must undergo strict browser compatibility testing, otherwise you may lose the first batch of users of the application.

============================================== ==

Other reference articles:

================================ ==============

Solve the problem that jsessionid cannot be passed in iframe, resulting in session loss

http://618119.com/archives/2007/12 /19/48.html

Sso is required to implement the ISMP2.1.1 interface, and the interface defined in ISMP requires calling the sso interface in embedded pages such as iframes. In actual development, it was found that the session cannot Delivered normally.

The scenario to reproduce the problem is:

1. First visit site a: http://192.168.18.2/test.jsp

The code of test.jsp is:

Copy code The code is as follows:

Read the passed ssoinfo in sso.jsp, reversely call the ISMP authentication interface,

generate a session, and then put the specified attribute value,

session .setAttribute("ssoUser" ,"lizongbo");
The page is redirected to http://192.168.18.3/iframe.jsp

response.sendRedirect("/iframe.jsp");

iframe When reading the attribute value of ssoUser in session in .jsp, you will find that it cannot be read.
2. If you visit the page of 192.168.18.3 first and then the page of 192.168.18.2, the iframe embedding at this time can pass the generated jsessionid Cookie.

So the solutions are:

a. Add jsessionid to the url.

For example, redirect to response.sendRedirect(“/iframe.jsp;jsessionid =lizongbo”);
In this case, If the URLs of other connections in the iframe.jsp page do not add jsessionid,

cannot continue to pass the session, but the href attribute of each hyperlink is rewritten by js on the client to add jsessionid.

Set P3P header information in b.sso.jsp
For example, P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

Or P3P:CP="CAO PSA OUR"

java code is:

response.addHeader("P3P","/"CAO PSA OUR/"");

http://www.bkjia.com/PHPjc/824856.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/824856.htmlTechArticleA login page I created today was embedded in an iframe by another website and I could not log in (only in IE This situation exists). Obviously, the session cannot be saved. But directly on the ground...