Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
We have an application with a PIN secured page where the user enters a PIN number and if it matches we set a session hash. The page is then refreshed and the auth page is bypassed when the hash is detected on the session.
This seems to work fine in every situation except when we display the page in an iFrame in Safari on iOS 13.
Does anyone know why the session hash wouldn't be getting set properly in this particular environment?
Apple did a change in iOS 13 Safari preventing some iFrames from navigating the page. Chances are you could be hit by that. If so, I would look at using postMessage communications or the old fashion hash watch to try and get around it.
https://developer.apple.com/documentation/safari_release_notes/safari_13_release_notes
Thanks for the tip - that's highly likely to be related somehow.
Basically what we do is load an "embed" page in an iFrame and then POST the PIN through an AJAX request to our server to validate. If that is validated we return a 200 response and the script in the iFrame performs a location.reload().
Normally that works great, because when it's reloaded the "embed" page will perform a check for a hash on reload and if the user has previously successfully validated the PIN it just loads the authorized view rather than the PIN entry page, but that's not happening on Safari.
I've chucked some debug logging on our server and it looks as though a new session ID is being generated on every iFrame reload where every other browser retains its session ID. I can't seem to find too much info on the Safari change other than the 1 line in their Changelog, so I'm not sure how the "navigation" change is preventing session IDs from being retained in the iFrame.
I would suggest you go with another solution than an iframesince it makes interactions with the loaded content much harder and some thing might even be impossible to do. Not to mention that it uses up loads of memory.
I would use a custom meddleware for the pages needed to be behind a pin or just just remove that feature and give the user that needs access to those pages access.
@tray2 I couldn't agree more, but unfortunately due to the fact that the iFrame is provided by a separate application which isn't tightly integrated with the primary application makes it difficult to come up with a quick alternative. Also the fact that it works on every device and browser less Safari on iOS is really frustrating. To have to potentially re-engineer a solution that's worked well for over a year because of one change by a vendor is ... less than ideal.
I'm trying a couple of server-side hacks, but if you've got any suggestions I'm pretty desperate!
Just a quick update on this one - I've now had a chance to test the application in Safari on a Macbook and Safari on an iPhone X. Here are my findings:
On the Macbook, Safari doesn't work unless "Prevent cross-site tracking." is disabled, then the app works as expected.
On the iPhone, Safari doesn't work at all, even with the "Prevent cross-site tracking." disabled.
All other browsers / devices work fine.
I've tried a couple of quick workarounds, but short of rebuilding the whole iFrame app I'd love to hear if anyone else has had any success in passing cookies between an iFrame and parent page on Safari.
Quick final update on this one - we ended up ditching the use of sessions and now use an encrypted nonce which gets cached on the server and validated by a parameter passed through on the request from the client.
Unfortunately it means that users will need to reenter their PIN on every page refresh, but it works on all browsers.
Thanks to everyone for the tips.
Hey @naoca,
Could you provide more details about your implementation? I'm having the same difficulty here in my application. :/
Thanks!!
Please or to participate in this conversation.