Solution to the problem of session loss caused by cross-domain PHP iframe under IE_PHP tutorial

After a login page is embedded in an iframe by another website, it will become impossible to log in (this situation only exists in IE). The main problem is that the session cannot be saved. I will share my personal solution process with you below. A login page I created today was embedded in an iframe by another website and I couldn't log in (this only happened in IE).

Obviously, the session cannot be saved. But when I open the login page directly in the address bar, everything is normal. How strange.

Searched online. I found that quite a few people have mentioned this issue. The final solution is to add the following code to the login page:
The code is as follows:

header('P3P: CP="ALL ADM DEV PSAi COM OUR OTRo STP IND ONL"'); 
session_start();

​
Maybe this problem is also related to the fact that my login page uses JavaScript location jump. But there is no in-depth testing research.

Extended reading:
When I was working on the Tencent Friends application today, the tester sent me a work order saying that the application could not be used on IE7. A login timeout error occurred.

The first reaction was that the session was lost.

So I searched online for the IE7 iframe session loss problem. Later I found the following article and solved the problem:

Yesterday, the time diary I made on campus was finally online. On the first day of launch, more than 80 users installed it, but many users reported that the app was unavailable. I used to develop on Firefox (I guess the school staff also used Firefox for review). When I used IE7 to test, I found that all pages other than the homepage could not be opened normally.

After searching a lot of information on the Internet, I found that there is such a problem in IE7: if there are one or more iframe subpages in the page, the session creation in the subpage may not be successful, so the session data cannot be communicated with other pages. shared. When developing on-campus and 51 applications, assuming that iframe is used, you are likely to encounter such a problem. And this problem only exists in IE7 browser. I have tested it in firefox, IE6 and chrome browsers and there is no problem.

The solution is: before running session_start, add the following sentence to the program (taking PHP language as an example), which roughly declares the security level to the browser, so that there will be no problem when the iframe subpage creates a session:

header('P3P: CP="ALL ADM DEV PSAi COM OUR OTRo STP IND ONL"');

In addition, I also learned that if the second-level domain name contains underscores, such as your_domain.yourhost.com, problems may occur when establishing and transmitting sessions.

Some thoughts:

1) After many years, the browser compatibility problem has still not been completely solved, and IE browser is still causing pain and torture to developers.
2) Before releasing the application, it must undergo strict browser compatibility testing, otherwise it may lose the first batch of users of the application.

Other reference articles:

Solve the problem of session loss due to jsessionid failure in iframe
http://618119.com/archives/2007/12/19/48.html

Sso is required to implement the ISMP2.1.1 interface, and the interface defined in ISMP requires calling the sso interface in embedded pages such as iframes. During actual development, it was found that the session could not be transferred normally.

The scenario that reproduces the problem is:

1. Visit site a first: http://192.168.18.2/test.jsp

The code of test.jsp is:
100db36a723c770d327fc0aef2ce13b1 93f0f5c25f18dab9d176bd4f6de5d30e
b2386ffb911b14667cb8f0f91ea547a7session--www.jbxue.com6e916e0f7d1e588d4f442bf645aedb2f
9c3bca370b5104690d9ef395f2c5f8d1
6c04bd5ca3fcae76e30b72ad730ca86d
1625249e4eb5efc5940fa72614db5cb8
065276f04003e4622c4fe6b64f465b88
36cc49f0c466276486e50c850b7e4956
73a6ac4ed44ffec12cee46588e518a5e
Read the passed ssoinfo in sso.jsp and reversely call the ISMP authentication interface,

Generate a session, then put the specified attribute value, session .setAttribute("ssoUser","lizongbo"); The page then redirects to http://192.168.18.3/iframe.jsp

response.sendRedirect(“/iframe.jsp”);

When reading the attribute value of ssoUser in session in iframe.jsp, you will find that it cannot be read.
2. If you first visit the page of 192.168.18.3 and then the page of 192.168.18.2, the iframe embedding at this time can pass the generated jsessionid Cookie.

So the solutions are:

a. Add jsessionid to the url.

For example, redirect to response.sendRedirect(“/iframe.jsp;jsessionid =lizongbo”);
In this case, if the URLs of other connections in the iframe.jsp page do not add jsessionid,

It is also impossible to continue to pass the session, but the href attribute of each hyperconnection is rewritten and added with jsessionid through js on the client side.

Set P3P header information in b.sso.jsp
For example P3P: CP=”CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR”
Or P3P:CP=”CAO PSA OUR”
The java code is:
response.addHeader("P3P","/"CAO PSA OUR/"");

http://www.bkjia.com/PHPjc/739136.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/739136.htmlTechArticleA login page, after being embedded in an iframe by other websites, cannot log in (this only exists in IE) situation). The main problem is that the session cannot be saved. Here is my personal solution...