Databases
StackOverflow2013
Postsdbo
POFacebook apps (iframes) and third party cookies
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POFacebook apps (iframes) and third party cookies
    text
    copied!<p>I have a Rails app that runs inside of Fabebook as an iframe. I use Koala gem for FB communication (also the js SDK for some parts) and Devise as authentication base.</p> <p>For some time I've been seen some problems with the issue that the app runs inside an iframe. So third party cookies cannot be set. For IE I use a P3P header which as mitigated the problem somehow. </p> <p>But the whole thing is very confusing. I'm on Snow Leopard.</p> <p>For example:</p> <ul> <li><p>With Safari 5.1.1 I have set "Block cookies from third parties and advertisers." The application works ok and it can be used with no problems.</p></li> <li><p>With Chrome 5.0.874 (very recent update) the option "Block third-party cookies from being set" was checked so the two main cookies that my app sets (app cookie and fbs_xxxx cookie) cannot be set so the app does not work since the user needs to authenticate all the time.</p></li> <li><p>With Opera 11.52 there is no reference to third party cookies and the browser is set to "accept cookies only from the sites I visit". My app works ok with that setting.</p></li> <li><p>With Firefox 7.0.1 my app works but I just couldn't find any setting that deal with cookies. Just to delete them.</p></li> </ul> <p>So apparently my problem is with Chrome but the same setting works with Safari. So I'm really confused.</p> <p>Is asking the user to allow third party cookies the only solution to this problem?</p> <p>Thanks.</p> <p>UPDATE ON MY CURRENT WORKING SOLUTION</p> <p>I did some extra research and tests. I did try to use Rails alternative methods of session storage. By default they are stored in a cookie but you can store session data in memory, db, etc. But it is not enough because it still uses a cookie with a pointer to the alternative storage you select.</p> <p>In the end I set some info the the url that allows me find the identity of the current logged in user, get the user and manually sign in that user with Devises sign_in method. I don't like it too much but now I can block third party cookies and still works. I will later on make a change and instead of having the real info there I will have a key to a memcached entry from where I'll get the user (previously set), after all only my app should have access to that memcached server.</p> <p>Thanks.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload