Safari: cross-domain cookies

The default behavior of Safari is to only accept cookies from sites that you visit. This excludes third-party cookies. Safari treats the page inside an iframe as a third-party site. A cookie is set when the user interacts with the iframe (by clicking a link, for example).

There are several solutions to set a third-party cookie without the need for a user interaction. One solution which a tested and found working is:

  $(function() {
    var isSafari = (/Safari/.test(navigator.userAgent));
    // Workaround to set cookie in iframe (Safari)
    if (isSafari &amp;&amp; <!--?= (isset($_SESSION['safari_session']) &#038;& $_SESSION['safari_session'] == 1) ? 'false' : 'true' ?-->) {
      $('#sessionframe').ready(function() {
        $("#sessionform").submit();
        window.setTimeout(processApplication, 1000);
      });
 
      $("body").append('

');
 
      function processApplication() {
        window.location.reload();
      }
    }
  });

if you want to start a PHP session, the default behavior of PHP is to store the sessionid in a cookie. To force the browser to add the sessionid to the url user:

  ini_set('session.use_cookies', 0);
  ini_set('session.use_only_cookies', 0);
  ini_set('session.use_trans_sid', 1);

For security purposes you should limit the sessionid to the IP that created the session. This is not perfectly secure though, as someone with the same IP (behind a proxy e.g.) could reuse that very same session. Also IP addresses can change when travelling around with a wireless card and a lot of people using the internet get a new IP every 24 hours.

You may also be interested in creating your own session handling function (in conjuction with a database). You would ignore the session ID, and bind it to the IP address. (see examples on PHP.net)


Leave a Reply