Cookies and Iframes
--
It’s been a while since the last time you had the pleasure of having your application consumed from an Iframe. But some legacy application “needs” to do exactly that. You test the “integration” and it doesn’t work. The cookies for the requests made by the Iframe don’t make its way to the server.
Sounds Familiar? It happened to me some time ago and it took some digging around to understand and diagnose the problem. This kind of scenario used to work without problems but now, with modern browsers, you need to do a couple of things to make your iframed stuff work properly.
Solution
When I bump into this kind of problem I usually appreciate finding a post that offers a solution as fast as possible so here it goes:
Set-Cookie: session=your_session; SameSite=None; Secure You need to set your cookie with the attributeSameSite=None and also including the attribute Secure.
In Spring Boot
Understanding the problem
Now, with the problem already solved, we can use a couple of minutes to understand what we have just done.
First-party and Third-party cookies
Cookies that match the domain of the current site are referred to as first-party cookies. Cookies from domains other than the current site are referred to as third-party cookies.
For a long time, both kinds of cookies were treated equally: every time you request an URL all the cookies for that URL were sent with the request. There are a variety of problems associated with this behavior:
- Allows Cross-site request forgery (CSRF) attacks.
- Adds overhead to the request, sending potentially unneeded stuff.
- Can be used to track user activity across multiple sites.
