Facebook Iframe App with multiple pages in Safari Session Variables not persisting

I have a facebook Iframe application with multiple PHP pages in it.

I have some links that point relatively to the files inside my "iframe folder".

Having some issues with session variables inside the iframe. I set some session variables but they do not persist from one page to another.

This does work on other browsers.

I've been reading that Safari does not support Cross-Domain cookies and this might be the problem , but im not sure how to fix this.

Any help?


Solution 1:

I believe this solution has become obsolete with the latest (6.0 and later) versions of Safari.

Safari by default does not allow cookies to be set from third parties. This affects Facebook iframe applications because the user is accessing a page served from apps.facebook.com but the iframe is being served from yourdomain.com, the "third party" in this case.

There are several several solutions mentioned around the web. The best I've found and one recommended by Facebook in its list of miscellaneous issues is to fake a POST request to yourdomain.com using JQuery. This solution detailed by Anant Garg works in general for different host/iframe domains and needs to be adapted for Facebook apps. The key parts are:

$("body").append('
 <iframe id="sessionframe" name="sessionframe" onload="submitSessionForm()" src="http://www.yourdomain.com/blank.php" style="display:none;"></iframe>
 <form id="sessionform" enctype="application/x-www-form-urlencoded" 
   action="http://www.yourdomain.com/startsession.php"
   target="sessionframe" method="post"></form>');
var firstTimeSession = 0;
function submitSessionForm() {
  if (firstTimeSession == 0) {
    firstTimeSession = 1;
    $("#sessionform").submit();
  }
}

Another solution by Will Henderson is to instrument each link on your page with session information using a Javascript function. Then modify your server code to capture this session information by reading it from GET parameters.

Solution 2:

I wrote the blog post Dominic refers to in his answer.

The problem is that the default behavior of Safari is to only accept cookies from sites that you visit. This excludes "third party" cookies. Safari treats the page inside an IFRAME as a third-party site, and until you interact with that content (by clicking a link, for example), it will refuse those cookies.

Your PHP code needs to set a cookie on the first page that uses the session in order for that session to persist from one page to another, but if the session variables are in the very first page in the IFRAME, you have a chicken-and-egg problem.

My solution is to retain all of the special Facebook parameters through to the second page loaded into the IFRAME. Because you've interacted with it, cookies set on the second page will persist, and this allows your PHP code to keep whatever state it needs to communicate back to Facebook.

This won't likely help your PHP session, though, so I suggest adding another parameter to links on the first page that allows the second page to look the session up, or otherwise recreate it.

Solution 3:

I think the best solution is to manually keep track of the session ID i.e. by using session_id($_GET['session]); Just make sure you do this before calling session_start(); and everything works.

Solution 4:

Safari accepts cookies only from the page the user navigates to. The easiest and most effective way to fix this is to redirect the request from landing page of your canvas app to a different page on your domain using top.location.href and redirect the user back to the canvas app from that page.

For example, if abc.php is your landing page and the canvas URL is facebook.com/abc. First redirect the request from abc.php to a different page like xyz.php then redirect again from xyz.php to facebook.com/abc. Don't forget to start the session in xyz.php.

This is the simple fix...