Is there something a site can do to incorporate third party cookies
Asked Answered
K

5

6

I work for an e-commerce site. Part of what we do is to offer customized items to some clients. Recently some non-technical management promised that we could incorporate our check-out process into one such client's website. The only way we've figured out how to do this is by using an iframe (I know, I don't like it either). The issue is that most customers of this site are unable to check out because we use cookies to determine which custom items to display. Browsers are recognizing our cookies as third party and almost everybody has third party cookies turned off, as they should. I'm going to be shocked if the answer is yes, but is there any workaround for this? ie can the site hosting our iframe somehow supply the necessary cookie?

Kreutzer answered 6/9, 2013 at 18:35 Comment(0)
P
11

Try an invisible, interstitial page.

Essentially the hosting site would issue a redirect to a site within your domain, which is then free to set cookies (because at this point is is actually the first party). Then your site immediately redirects back to the hosting site. At this point your newly-created cookies will be invisible to the hosting site but visible to your iFramed page henceforth.

Unfortunately the hosting site will have to do this every time a cookie is to be updated but the double-redirect can happen so quickly they'll hardly notice. Hopefully your system only needs the cookies to be set once.

Plain answered 24/9, 2013 at 10:34 Comment(1)
I'm banging my head into the desk for not thinking of this. Thank you so much.Kreutzer
I
1

Instead of using a cookie, pass the information in the each url request as name/value pairs.

It is a bit of a pain to add the name/value to every url...I know...oh well...it will work.

Incardination answered 24/9, 2013 at 13:17 Comment(0)
B
0

I'm going to be shocked if the answer is yes, but is there any workaround for this? ie can the site hosting our iframe somehow supply the necessary cookie?

Your iframed page itself, which is the third party in this scenario, could send a P3P Cookie Policy header – some browsers then accept third-party cookies by default, whereas others (mainly Safari) will not be convinced to do so at all if not by the user manipulating the default settings themselves.

What you could also do, is pass the session id not (only) by cookie, but as a GET or POST parameter as well – f.e. under PHP this can be done quite easily by configuring the session options. You should consider if that’s worth the slightly increased risk of session stealing.

Boarish answered 17/9, 2013 at 14:22 Comment(1)
Thanks for the suggestion, but safari is actually our #1 browser, so the cookie policy header is out. Also, the system using cookies is so ingrained that incorporating get or post would mean shutting down and overhauling a very large portion of our code, which I can't do.Kreutzer
P
0

The interstitial page solution should work but it might be a lot of trouble for your hosting site, so here's another solution that will allow you to work cookieless.

Write an HttpModule that responds to the BeginRequest event, reads the querystring, and inserts corresponding cookie headers into the Context.HttpRequest object (Note: you can't use AddCookie, you have to use AddHeader, because cookies added by a module directly are disposed of before they hit your application proper). That way the hosting site can simply issue a request (within the iFrame) that contains the necessary value in the querystring, the module will convert it into a cookie (that only exists in memory, not on the wire), and your application will be deceived into thinking that there's a cookie there. No code changes required, you just need to add the module in web.config.

This only works if you are using IIS 7.0+ in integrated pipeline mode. If you're on an earlier version of IIS or if you have to run in classic mode, you'll need an ISAPI filter instead.

Plain answered 24/9, 2013 at 13:3 Comment(0)
M
-1

Ryan , John For the Chrome v80 update with SameSite flags, want to set the samesite=none;secure for the site hosting our iframe and somehow supply the necessary samesite=none;secure cookie. We have apache 2.2 and tomcat 6 setup, so would appreciate a solution and advice on how to make it work. Currently with flag enabled the iFrame is not punching out successfully. Thanks

Mercado answered 7/2, 2020 at 8:1 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.