Friday, September 21, 2018

Single Sign On running on an iFrame Times Out on a Safari Browser


Customer asks why their Single Sign On application that runs on an iFrame times out everytime the user attempts to login using Safari Browser.
 
This same SSO application seems to work fine on Internet Explorer, Mozilla Firefox and Google Chrome.

 
Safari ships with a conservative cookie policy which limits cookie writes to only the pages chosen. The rationale here is that Safari only wants to write cookies from websites that the user directly visits.
 
Still Safari rejects the cookies that iframes try to write. This means that if you load a page from your own site with an iFrame with a page from another site, that the other site is not able to set cookies. As soon as you have visited the other domain directly, the other site is able to access and change its own cookies. (Example: So if you navigate to facebook.com, any attempt to set a cookie from an iFrame that is not under the facebook.com domain will fail.)
 
Since this is in actuality a browser issue, these are the workarounds:
1. Enabling cookies
Safari users can always turn on a checkbox in the preferences to accept all cookies.
On your Safari Browser > Preferences > Security > Accept All Cookies.
 
2. Rewrite URL
The workaround is that the page that writes the cookies must be initiated as a result of a direct user request. Literally meaning that prior to writing any cookie you have to provide a hyperlink (an explicit anchor tag) in your iframe that takes the user to the page that writes the cookie.
 
Sample Solution:
Programatically create and click a link with an href="A.com/setCookie?cache=1231213123" and a target attribute pointing to a hidden iframe. This will bypass Safari's policy of user navigation for setting cookies.
- Set the cookie via a window.open() - it may not be optimal for you (as you'll have an ugly ass popup window open.
  Details:
  1. User clicks a link from B.com
  2. Popup window opens to A.com/setCookie
  3. A.com sets its cookie, and then redirects to B.com in the proper place
 
on

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)