Level 75
May 4, 2020
20
Level 1
Laravel Project as iFrame -> Page expired when loggin in
Hey community,
I created a Laravel Application and want to embed it into another site via iFrame. Firstly you have to sign-in in my Application, but when the form gets submited I get a 419 Page expired problem.
When I try it directly without an iFrame, that its no problem... so what is the solution?
Level 122
It should be no different, but if you leave it for 2 hours then you will get 419 error.
An Iframe is just a session embedded in another page. It does not alter behaviour
Level 1
please help me guys.. i had a huge project and now we want to go live and it depends on this little thing... whats the alternative? I want to show my app in an iframe - that was the aim for this project :/
Level 75
just curious why does it have to be in an iframe. Why not it's own site.
Level 1
it was a budget question from the customer - he built the website arround on himself and i built the app that runs in the website..
Level 75
Have you tried to implement one of the social logins, Facebook, Google, etc. I would also search stackoverflow, which you probably have already.
Level 122
being in an iframe should make no difference. You are saying it works ok if you use it directly, but breaks in the iframe?
Level 122
for the purpose of clarity, the links posted earlier by jlrdw are not relevant
Level 1
yes exactly
Level 75
From your description it sounds like they are different domains, is that correct? Also, and this I'm not 100% sure of, but if the iframe is another domain, I think the session has to be used via url.
I have loaded sites in an iframe, but a login wasn't required. It's been a while but it was adoptapet.
But sorry if my links above are wrong, I was just trying to help. And normally those two sites have good answers.
@jeffreyway if you see this, any thoughts on cross domain iframe? It's got me wondering now.
Level 1
yes thats correct - they are on a different domain. how can i chnge that, that the session is used via url?
Level 122
Try changing the value of same site cookie policy in config/sessions.php
/*
|--------------------------------------------------------------------------
| Same-Site Cookies
|--------------------------------------------------------------------------
|
| This option determines how your cookies behave when cross-site requests
| take place, and can be used to mitigate CSRF attacks. By default, we
| will set this value to "lax" since this is a secure default value.
|
| Supported: "lax", "strict", "none", null
|
*/
'same_site' => 'lax',
currently the cookies are blocked because of the 'lax' setting.
remember to clear or reset config cache after changing.
To see the issue:
- Open Chrome dev tools. select the network tab. Click login on the iframe.
- You will see a red
Loginin the left panel, click this. - On the right panel, click cookies
- check the box for 'show filtered out request cookies'
- you will see request cookies for XSRF-TOKEN and Laravel_session are blocked
- hover over the i in the SameSite column
2 likes
Level 49
@Snapey I set it to none or null, but it does not help: in iframe the post request fails with 419, when I open the iframe in a new browser tab, the post request works fine.
You were right, when in iframe it does not sent/receive csrf token and the cookie.
I'm on Firefox.
Level 49
update: none worked, it was just my browser settings that only allow 3rd party cookies once the internal website is opened without iframe.
Level 122
A good write-up of the issue https://blog.heroku.com/chrome-changes-samesite-cookie
Things would be a lot easier if the client could provide a subdomain to host your site on. Then you could iframe within the same domain, or not use iframe, use ihre-baustelle.flo-photo.at
1 like
Level 1
thanks @snapey you saved me!!
Level 1
@snapey there is one more thing... when i try to login via smartphone i get the same error like before... any hints? i set the same_site to "none"
Level 75
@mathishuettl there is no way that you could just have a division instead of an iframe, and have a link to actual site.
There is mobile detect software you could use also. That way, if mobile then open actual site.
And since you have showed this answered, you may want to start a new post.
Level 122
you need to search for solutions related to SameSite and the specific browser you are using on smartphone
Level 1
i searched, but there are not really helpfull solutions... i tested on ios (iphone x) with safari and chrome - both have the page expired problem like on desktop before i made the change from same_site from "lax" to "none"...
Please or to participate in this conversation.