Facebook apps (iframes) and third party cookies

2018-06-02 18:20:16

I have a Rails app that runs inside of Fabebook as an iframe. I use Koala gem for FB communication (also the js SDK for some parts) and Devise as authentication base.

For some time I've been seen some problems with the issue that the app runs inside an iframe. So third party cookies cannot be set. For IE I use a P3P header which as mitigated the problem somehow.

But the whole thing is very confusing. I'm on Snow Leopard.

For example:

With Safari 5.1.1 I have set "Block cookies from third parties and advertisers." The application works ok and it can be used with no problems.

With Chrome 5.0.874 (very recent update) the option "Block third-party cookies from being set" was checked so the two main cookies that my app sets (app cookie and fbs_xxxx cookie) cannot be set so the app does not work since the user needs to authenticate all the time.

With Opera 11.52 there is no reference to third party cookies and the browser is set to "accept cookies only from the sites I visit". My app works ok with that setting.

With Firefox 7.0.1 my app works but I just couldn't find any setting that deal with cookies. Just to delete them.

So apparently my problem is with Chrome but the same setting works with Safari. So I'm really confused.

Is asking the user to allow third party cookies the only solution to this problem?

Thanks.

UPDATE ON MY CURRENT WORKING SOLUTION

I did some extra research and tests. I did try to use Rails alternative methods of session storage. By default they are stored in a cookie but you can store session data in memory, db, etc. But it is not enough because it still uses a cookie with a pointer to the alternative storage you select.

In the end I set some info the the url that allows me find the identity of the current logged in user, get the user and manually sign in that user with Devises sign_in method. I don't like it too much but now I can block third party cookies and still works. I will later on make a change and instead of having the real info there I will have a key to a memcached entry from where I'll get the user (previously set), after all only my app should have access to that memcached server.

Thanks.

如果无法设置Cookie，请在网址末尾设置会话ID。

Firefox has a rather non-intuitive placement of the cookie settings. Go to Tools->Options->Privacy and select "Use custom settings for history" from the drop-down box and the cookie settings will then appear. But they will "disappear" again if you have them set at the default values.

There are large inconsistencies in both the definition and handling of third-party cookies (for example in Firefox the prohibition is not only about setting cookies but also reading them). For this reason I would recommend, if at all possible, eliminating any reliance on cookies. It's already hard enough to tell users they must enable something that sounds insecure (let alone providing all the different instructions on how to do it for each browser) and it's just going to get worse as browsers continue to tighten up their default settings. Unfortunately all the standard libraries seem to want to use cookies by default so it's not an easy task, but if you are just starting to program your app I think it will be worth it to try and find a cookieless way of doing things right off the bat.

链接地址: http://www.djcxy.com/p/9868.html

上一篇: setTimeLimit如何在R中工作？

下一篇: Facebook应用程序（iframe）和第三方cookie