Avatar for Username

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

This thread was archived. Please ask a new question if you need help.

Cookie not set when sending GET(caused by Location Header) Request in iFrame

  • No replies
  • 1 has this problem
  • 2 views
UserCanFirefox
UserCanFirefox
more options

Hello there,


I have a Problem with FIreFox(incl the newest Version):

- I have a Portal where SAML is used to log in.

- in the Portal we have embedded Web-Application(3rd party) using an iframes.

- when an iframe is loading the application, the COOKIE of the application is not set in Request Header for Redirect Request.

- So the user is logged in using SAML and the 3rd party application did set Cookie, but the 3rd party application shows login form because the Cookie was not set in the Header for the GET Request.



Login Request SAML OK - redirect to Index of Web App >

Response Headers :

Status 200 OK (in Google Chrome Status Code: 302 Moved Temporarily)

cache-control max-age=0

content-language en

content-length 42249

content-type text/html; charset=utf-8

date Fri, 30 Nov 2018 17:00:49 GMT

expires Fri, 30 Nov 2018 17:00:49 GMT

location https://xxxxx.com/login

server Apache

set-cookie fe_typo_user=218.........59a; path=/; HttpOnly <<<<<<<< SETS COOKIE 3rd Party App

x-content-type-options nosniff

X-Firefox-Spdy h2

x-ua-compatible IE=edge


Redirect TO Location

Request Header

Missing COOKIE in FireFox ( Header cookie: fe_typo_user in Google Chrome is set ) ?!

Accept text/html,application/xhtml+xm…plication/xml;q=0.9,*/*;q=0.8

Accept-Encoding gzip, deflate, br

Accept-Language en-US,en;q=0.5

Connection keep-alive

Ghostery-AntiTracking

Host xxxxxx.com

Proxy-Authorization XXXXXXXXXXXXX

Referer https://idm.yyyyy.com/saml/....xxx..

TE Trailers

Upgrade-Insecure-Requests 1

User-Agent Mozilla/5.0 (X11; Ubuntu; Linu…) Gecko/20100101 Firefox/63.0


Response headers (392 B):

Status code 301 (in Google Chrome Status Code: 301 )

cache-control max-age=0

content-length 0

content-type text/html; charset=UTF-8

date Fri, 30 Nov 2018 17:00:54 GMT

expires Fri, 30 Nov 2018 17:00:54 GMT

location https://xxxxx.com/login/

server Apache

x-content-type-options nosniff

X-Firefox-Spdy h2

x-typo3-realurl-info redirect for missing slash

x-ua-compatible IE=edge


Response headers (369 B)

Status code 200 (in Google Chrome Status Code: 200 )

accept-ranges none

cache-control max-age=0

content-encoding gzip

content-language en

content-length 8242

content-type text/html; charset=utf-8

date Fri, 30 Nov 2018 17:00:54 GMT

expires Fri, 30 Nov 2018 17:00:54 GMT

server Apache

vary Accept-Encoding

x-content-type-options nosniff

X-Firefox-Spdy h2

x-ua-compatible IE=edge



Using Google Chrome for the same Request gets Response Status Code: 302 Moved Temporarily with Location["abc.com"] (the Application) and set cookie response header.

The next GET Request to Location["abc.com"] does include the cookie. WORKS.


If I reload the iframe using Mouse Menu > This Frame > Reload Frame the Cookie is sent and the user is logged in.

Firefox Gets Response 200 OK with Location["abc.com"] (the Application) and set cookie response header.

The next GET Request to Location["abc.com"] does NOT include the cookie.


When loading the same Request in a Tab - the COOKIE is set. The Problem exists only in the iframe.

Get .css file - the cookie header is set..


GOOGLE CHROME ------------------------

Response Loged in OK , Redirect to Web App:

cache-control: max-age=0

content-language: de

content-length: 42249

content-type: text/html; charset=utf-8

date: Fri, 30 Nov 2018 17:11:18 GMT

expires: Fri, 30 Nov 2018 17:11:18 GMT

location: https://xxxxxx.com/login

server: Apache

set-cookie: fe_typo_user=3ba24d....61; path=/; HttpOnly

status: 302

x-content-type-options: nosniff

x-ua-compatible: IE=edge


REDIRECTED > GET REQUEST WITH COOKIE
authority: xxxxxx.com
method: GET
path: /login
scheme: https

accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8

accept-encoding: gzip, deflate, br

accept-language: en-US,en;q=0.9

cache-control: no-cache

cookie: fe_typo_user=3ba24d....61 <<<<<<<<<<<<<<<<< COOKIE SET

pragma: no-cache


Response Header

cache-control: max-age=0

content-length: 0

content-type: text/html; charset=UTF-8

date: Fri, 30 Nov 2018 17:11:22 GMT

expires: Fri, 30 Nov 2018 17:11:22 GMT

location: https://xxxxxx.com/login/

server: Apache

status: 301

x-content-type-options: nosniff

x-typo3-realurl-info: redirect for missing slash

x-ua-compatible: IE=edge


Response Header

accept-ranges: none

cache-control: max-age=0

content-encoding: gzip

content-language: en

content-length: 8748

content-type: text/html; charset=utf-8

date: Fri, 30 Nov 2018 17:11:22 GMT

expires: Fri, 30 Nov 2018 17:11:22 GMT

server: Apache

status: 200

vary: Accept-Encoding

x-content-type-options: nosniff

x-ua-compatible: IE=edge

Hello there, I have a Problem with FIreFox(incl the newest Version): - I have a Portal where SAML is used to log in. - in the Portal we have embedded Web-Application(3rd party) using an iframes. - when an iframe is loading the application, the COOKIE of the application is not set in Request Header for Redirect Request. - So the user is logged in using SAML and the 3rd party application did set Cookie, but the 3rd party application shows login form because the Cookie was not set in the Header for the GET Request. Login Request SAML OK - redirect to Index of Web App > Response Headers : Status 200 OK (in Google Chrome Status Code: 302 Moved Temporarily) cache-control max-age=0 content-language en content-length 42249 content-type text/html; charset=utf-8 date Fri, 30 Nov 2018 17:00:49 GMT expires Fri, 30 Nov 2018 17:00:49 GMT location https://xxxxx.com/login server Apache set-cookie fe_typo_user=218.........59a; path=/; HttpOnly <<<<<<<< SETS COOKIE 3rd Party App x-content-type-options nosniff X-Firefox-Spdy h2 x-ua-compatible IE=edge Redirect TO Location Request Header Missing COOKIE in FireFox ( Header cookie: fe_typo_user in Google Chrome is set ) ?! Accept text/html,application/xhtml+xm…plication/xml;q=0.9,*/*;q=0.8 Accept-Encoding gzip, deflate, br Accept-Language en-US,en;q=0.5 Connection keep-alive Ghostery-AntiTracking Host xxxxxx.com Proxy-Authorization XXXXXXXXXXXXX Referer https://idm.yyyyy.com/saml/....xxx.. TE Trailers Upgrade-Insecure-Requests 1 User-Agent Mozilla/5.0 (X11; Ubuntu; Linu…) Gecko/20100101 Firefox/63.0 Response headers (392 B): Status code 301 (in Google Chrome Status Code: 301 ) cache-control max-age=0 content-length 0 content-type text/html; charset=UTF-8 date Fri, 30 Nov 2018 17:00:54 GMT expires Fri, 30 Nov 2018 17:00:54 GMT location https://xxxxx.com/login/ server Apache x-content-type-options nosniff X-Firefox-Spdy h2 x-typo3-realurl-info redirect for missing slash x-ua-compatible IE=edge Response headers (369 B) Status code 200 (in Google Chrome Status Code: 200 ) accept-ranges none cache-control max-age=0 content-encoding gzip content-language en content-length 8242 content-type text/html; charset=utf-8 date Fri, 30 Nov 2018 17:00:54 GMT expires Fri, 30 Nov 2018 17:00:54 GMT server Apache vary Accept-Encoding x-content-type-options nosniff X-Firefox-Spdy h2 x-ua-compatible IE=edge Using Google Chrome for the same Request gets Response Status Code: 302 Moved Temporarily with Location["abc.com"] (the Application) and set cookie response header. The next GET Request to Location["abc.com"] does include the cookie. WORKS. If I reload the iframe using Mouse Menu > This Frame > Reload Frame the Cookie is sent and the user is logged in. Firefox Gets Response 200 OK with Location["abc.com"] (the Application) and set cookie response header. The next GET Request to Location["abc.com"] does NOT include the cookie. When loading the same Request in a Tab - the COOKIE is set. The Problem exists only in the iframe. Get .css file - the cookie header is set.. -------------------------------------- GOOGLE CHROME ------------------------ Response Loged in OK , Redirect to Web App: cache-control: max-age=0 content-language: de content-length: 42249 content-type: text/html; charset=utf-8 date: Fri, 30 Nov 2018 17:11:18 GMT expires: Fri, 30 Nov 2018 17:11:18 GMT location: https://xxxxxx.com/login server: Apache set-cookie: fe_typo_user=3ba24d....61; path=/; HttpOnly status: 302 x-content-type-options: nosniff x-ua-compatible: IE=edge ---- REDIRECTED > GET REQUEST WITH COOKIE :authority: xxxxxx.com :method: GET :path: /login :scheme: https accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 accept-encoding: gzip, deflate, br accept-language: en-US,en;q=0.9 cache-control: no-cache cookie: fe_typo_user=3ba24d....61 <<<<<<<<<<<<<<<<< COOKIE SET pragma: no-cache Response Header cache-control: max-age=0 content-length: 0 content-type: text/html; charset=UTF-8 date: Fri, 30 Nov 2018 17:11:22 GMT expires: Fri, 30 Nov 2018 17:11:22 GMT location: https://xxxxxx.com/login/ server: Apache status: 301 x-content-type-options: nosniff x-typo3-realurl-info: redirect for missing slash x-ua-compatible: IE=edge Response Header accept-ranges: none cache-control: max-age=0 content-encoding: gzip content-language: en content-length: 8748 content-type: text/html; charset=utf-8 date: Fri, 30 Nov 2018 17:11:22 GMT expires: Fri, 30 Nov 2018 17:11:22 GMT server: Apache status: 200 vary: Accept-Encoding x-content-type-options: nosniff x-ua-compatible: IE=edge

Modified by UserCanFirefox