Last Updated: August 15, 2017
· javier_toledo

Stop your headache with IE and sessions inside iframes in Rails apps

Many IE and Safari versions silently rejects any cookie from pages inside an iframe causing to lose session status if you don't send P3P headers declaring your app's 'intentions'. This would be specially painful if you want to allow users to login and access to your app from a widget on a client's website, which were our case.

If you're working with Rails >3 maybe you want to use rack-iframe, a rack middleware which will send the appropriate P3P headers for you when needed without change any logic within your app. To use it just follow this steps:

  1. Add rack-iframe gem to your Gemfile:

    gem 'rack-iframe'
  2. Rebuild your bundle:

    $ bundle install
  3. Add these lines on top of your config.ru

    require 'rack/iframe
    use Rack::Iframe
  4. Forget this problem forever :-)

10 Responses
Add your response


I have a rails site within an iFrame and I was struggling with the session variables being lost between requests. Thank you for explaining the problem and this easy to use solution.

over 1 year ago ·

@bobdutch nice! I'm glad to know that it has been useful for someone else :-)

over 1 year ago ·

I wrote a Facebook application back in 2010 that had this issue, although we wrote the application in Code Ignitor (PHP). I remember stumbling across the P3P headers for IE, but I can't remember if it solved our issue.

Excited to see that implementing in Rails was that simple.

over 1 year ago ·

thank you very much you saved me <3

over 1 year ago ·

It only works in the IE but not safari as I follow the instruction.

over 1 year ago ·

@laysreyleap It works for me flawlessly on Safari, but rack-iframe could perfectly have some undetected bug that needs to be solved. On which versions of OS, Safari and Rails are you experiencing problems?

over 1 year ago ·

I am using safari 6.0.1 and rails 3.2.3. The session in iframe cannot get the session from their parents.

over 1 year ago ·

@laysreyleap this solution helps to maintain sessions within an iframe, maintaining the same session inside and outside the iframe simultaneously could be tricky in Safari. May be this link helps you with that: http://www.reizbombardement.de/archives/safari-5-1-4-enforces-cookie-policy

over 1 year ago ·

thanks a lot - worked for me too

over 1 year ago ·

Typo in the third step missing '
require 'rack/iframe'

over 1 year ago ·