Stop your headache with IE and sessions inside iframes in Rails apps
Many IE and Safari versions silently rejects any cookie from pages inside an iframe causing to lose session status if you don't send P3P headers declaring your app's 'intentions'. This would be specially painful if you want to allow users to login and access to your app from a widget on a client's website, which were our case.
If you're working with Rails >3 maybe you want to use rack-iframe, a rack middleware which will send the appropriate P3P headers for you when needed without change any logic within your app. To use it just follow this steps:
-
Add rack-iframe gem to your Gemfile:
gem 'rack-iframe'
-
Rebuild your bundle:
$ bundle install
-
Add these lines on top of your config.ru
require 'rack/iframe use Rack::Iframe
Forget this problem forever :-)
Written by Javier Toledo
Related protips
10 Responses
I have a rails site within an iFrame and I was struggling with the session variables being lost between requests. Thank you for explaining the problem and this easy to use solution.
@bobdutch nice! I'm glad to know that it has been useful for someone else :-)
I wrote a Facebook application back in 2010 that had this issue, although we wrote the application in Code Ignitor (PHP). I remember stumbling across the P3P headers for IE, but I can't remember if it solved our issue.
Excited to see that implementing in Rails was that simple.
thank you very much you saved me <3
It only works in the IE but not safari as I follow the instruction.
@laysreyleap It works for me flawlessly on Safari, but rack-iframe could perfectly have some undetected bug that needs to be solved. On which versions of OS, Safari and Rails are you experiencing problems?
I am using safari 6.0.1 and rails 3.2.3. The session in iframe cannot get the session from their parents.
@laysreyleap this solution helps to maintain sessions within an iframe, maintaining the same session inside and outside the iframe simultaneously could be tricky in Safari. May be this link helps you with that: http://www.reizbombardement.de/archives/safari-5-1-4-enforces-cookie-policy
thanks a lot - worked for me too
Typo in the third step missing '
require 'rack/iframe'