...

View Full Version : Cookie problem when framing a secure page on an insecure page



jeffreyhathaway
04-24-2006, 08:05 PM
A third party website, non-ssl, is trying to create a page that frames my website, https://www.duat.com, but the session cookie that I generate when the user logs in is getting lost. This appears to be an IE-specific problem, Firefox doesn't have a problem with the cookie. Is there something IE-specific about a non-SSL site hosting a frames page that includes an SSL site? Additional info: if "https://www.duat.com" is added to IEs trusted sites list the problem goes away. Also, the problem goes away if the secured site hosts the frames page, instead of the non-secure site hosts it.

bustamelon
04-24-2006, 08:32 PM
Is it an option for you to use a frame buster? In other words, use javascript to break out of any frames that an external site wraps around your site? The code is out there and widely available, if that is useful to you.

jeffreyhathaway
04-24-2006, 08:49 PM
We actually had code in our HTTPS site to keep 3rd parties from framing our site, but we removed it because we WANT this 3rd party to frame us. The problem is that when they do frame us the session cookie we generate doesn't work, or something about the browser is not using the cookie as it should.

bustamelon
04-24-2006, 08:56 PM
I see. Bummer. Give this a shot: http://support.microsoft.com/default.aspx?scid=kb;en-us;323752



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum