oliverbusk's avatar

Log in via iFrame not working (SameSite)

I have a Laravel application with Filament v3. When I try to log in to the application via the domain name directly, everything works fine. However, when I try to log in via an iFrame, it just reloads the login page and nothing further happens.

I have set the following in my ENV:

SESSION_SAME_SITE=none

Further, when I check the network tab, it shows that it is only the XSRF-TOKEN that applies the "SameSite = None":

enter image description here

0 likes
1 reply
LaryAI's avatar
LaryAI
AI
1 year ago
Level 58

The issue you're encountering is related to the SameSite attribute of cookies, which is designed to prevent cross-site request forgery (CSRF) attacks. When you set SESSION_SAME_SITE=none, it should allow cookies to be sent in all contexts, including cross-site requests, which is necessary for iFrames. However, there are a few additional steps you might need to take to ensure everything works correctly.

Here are the steps to resolve the issue:

  1. Ensure Secure Cookies: When setting SameSite=None, the cookies must also be marked as Secure. This means they will only be sent over HTTPS connections. Make sure your application is served over HTTPS.

  2. Update Session Configuration: In your config/session.php file, ensure that the same_site attribute is set to none and the secure attribute is set to true.

  3. Check Middleware: Ensure that your middleware is not overriding these settings.

Here is an example of what your config/session.php should look like:

return [

    // Other session configuration...

    'secure' => env('SESSION_SECURE_COOKIE', true),

    'same_site' => env('SESSION_SAME_SITE', 'none'),

];
  1. Set the Environment Variables: Ensure your .env file has the correct settings:
SESSION_SECURE_COOKIE=true
SESSION_SAME_SITE=none
  1. Clear Configuration Cache: After making these changes, clear your configuration cache to ensure the new settings are applied:
php artisan config:cache

  1. Check Browser Console for Errors: Sometimes, browsers will provide more detailed information about why a cookie is being blocked. Check the console for any warnings or errors related to cookies.

  2. Cross-Origin Resource Sharing (CORS): Ensure that your CORS settings are correctly configured to allow requests from the domain hosting the iFrame. You can configure CORS in your app/Http/Middleware/HandleCors.php or in the config/cors.php file.

Here is an example of a permissive CORS configuration in config/cors.php:

return [

    'paths' => ['api/*', 'sanctum/csrf-cookie'],

    'allowed_methods' => ['*'],

    'allowed_origins' => ['*'],

    'allowed_origins_patterns' => [],

    'allowed_headers' => ['*'],

    'exposed_headers' => [],

    'max_age' => 0,

    'supports_credentials' => true,

];
  1. Check for Other Middleware: Ensure that no other middleware is interfering with the session or cookie settings.

By following these steps, you should be able to resolve the issue with logging in via an iFrame. If the problem persists, consider checking the server logs and browser console for more detailed error messages that could provide further insights.

Please or to participate in this conversation.