Session not maintained in iFrame

If your website is sometimes placed in the iFrame, you may notice that the session is not maintained. If the user is logging in in the iFrame, once the page reloads it is logged out again. This is due to the cookies. Nowadays, browsers are trying to care for the privacy and security of the client. This means, that they (by default) block cookies sent from the iFrame.

How can you check this? Try to check what cookies are sent to the server on each request from the iFrame. If there are none – you have the source of the issue. Looking in the Chrome Developer Console, a typical request with cookies enabled looks like this:

On the other hand, if the cookies are disabled, you will not find them in the Request Header:

If you want to enable cookies in the iFrame, you have to change “SameSite” in the cookies configuration to “None”, and for security reasons, you should also add “Secure”. If you are using Apache, you can place the following in the page configuration (the page that is being loaded in the iFrame):

Header edit Set-Cookie: ^(.*)$ $1;Secure;SameSite=None

If you have no access to the site configuration, but you can use “.htaccess” instead, you should place it there, but with a small change:

Header edit Set-Cookie ^(.*)$ $1;Secure;SameSite=None

This way you are telling the browser that you allow to send cookies, even if the site is placed in the iFrame on the other website.

Important – security notice!

Please note that cookies are blocked in iFrames for security reasons. Websites that are allowing to be placed in iFrames can be used as the victim of the clickjacking attack. You should be aware of this and plan accordingly. For instance – you can disallow some actions when called from the iFrame.