The Wayback Machine - https://web.archive.org/web/20161110224340/http://softwareengineering.stackexchange.com:80/questions/335337/asp-session-between-iframe-and-page

current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help
Software Engineering Stack Exchange is a question and answer site for professionals, academics, and students working within the systems development life cycle who care about creating, delivering, and maintaining software responsibly. Join them; it only takes a minute:

Sign up
Here's how it works:
  1. Anybody can ask a question
  2. Anybody can answer
  3. The best answers are voted up and rise to the top
up vote 0 down vote favorite

I have a situation where my ASP.NET MVC application can be loaded directly or in iframe. It uses ASP.NET Identity. When I open the site from iframe, log in and after open the site directly it keeps me logged in. Is that a normal behavior? Is session shared between apps opened directly and in iframe?

Here are more details: I have a site https://somesite.com, and it can be accessed directly or via another site using iframe. I need slightly different designs and functionality depending on where the site is accessed from. I researched and the only good solution seems to have two different sites: https://somesite.com, https://framed.somesite.com. I don't need to share sessions between them. Authorization may also work independently. And I need one SSL certificate for both sites.

Also, how would you organize projects in VS2015 in case the design and functionality is mostly the same. Would you have some setting in the config to differentiate and just publish two sites with different settings or would you create two different projects?

share|improve this question
    
What I was trying to do is differentiate through some session variable. When site is opened from iframe it always hitting some api that sets a variable say 'LoggedFromFrame'. That api is not being hit when I log directly. So I thought I will be able to differentiate by this session variable if site is opened from iframe or directly. But the thing is that they seem to share sessions and when I open directly I am getting the version of site that should be visible when I am logged from frame. – Giorgi Nakeuri Nov 4 at 9:17
    
I meant, why is there a requirement for these two different versions? Why do you want the iframe version to differ from the normal version? The actual customer requirement here is highly relevant to the best approach to take. – dan1111 Nov 4 at 9:18
    
Well it is a shopify application. When you open an app from in iframe from shopify site it should work within a concrete shop you logged from. When you log directly you can switch between different shops etc. So there are some menu items that differ and also some pages should not be available etc. – Giorgi Nakeuri Nov 4 at 9:21
    
Ok, that makes sense, but what is the problem with still being logged in once you go to the main site? Do you want the users to have two separate accounts? – dan1111 Nov 4 at 9:25
    
@dan1111, well that requirement can be removed I think. The main problem I have is how to differentiate between frame and regular versions. And I thought the best way is to create 2 different sites that work under the same SSL(so it will be subdomained). So sessions will not be shared and that requirement will be automatically fulfilled. – Giorgi Nakeuri Nov 4 at 9:28
up vote 0 down vote

There's no problem in the user's session being shared between the two. From your comments, it's the same underlying user account. The point of requiring log in is to authenticate the user, and that has happened. So don't require it again if they go to the main site.

Structure it as one project, with the iframe version a subset of the total project. The iframe site is a subset of the total functionality. If you design things right, you will probably use that subset in both your main site and the iframe site.

share|improve this answer
    
Dan, you missed the main point. It is already designed and behaves like you describe. The issue I am facing is how to differentiate between versions? I can not do that via session as it is shared in this case. I can not do that via config setting as it is the same. I can not do that via javascript as it is not reliable. – Giorgi Nakeuri Nov 4 at 10:02

Not the answer you're looking for? Browse other questions tagged or ask your own question.