Author Topic: xdomain petition form submit - issues with cookies / session (Read 1576 times)

donquixote · April 03, 2011, 11:35:50 am

Hey guys,

I am trying to embed a CiviCRM petition form from a different domain on a page via ajax.
I then would like to submit that form via another ajax request, and embed the response without leaving the page.

The problem: On submit, CiviCRM will complain that it wants cookies enabled.
The message is coming from CRM_Core_Controller::key().

Quote

Sorry. A non-recoverable error has occurred.
We can't load the requested web page. This page requires cookies to be enabled in your browser settings. Please check this setting and enable cookies (if they are not enabled). Then try again. If this error persists, contact the site adminstrator for assistance.

Site Administrators: This error may indicate that users are accessing this page using a domain or URL other than the configured Base URL. EXAMPLE: Base URL is http://example.org, but some users are accessing the page via http://www.example.org or a domain alias like http://myotherexample.org.

Error type: Could not find a valid session key.

Not really surprising, this is a typical conflict with cross-domain browser security.
Nevertheless, I would like to find a way to circumvent this problem.

---------------------

Let's say the page is on site A, but the ajax-embedded CiviCRM form comes from site B.

Session id from server to client
The first ajax request (to embed the form) creates a session cookie for site B, which we cannot access via javascript from site A.
Workaround: To make the session id from B available to javascript on site A, we can simply put it into a json variable.

Session id from client to server
By default, ajax requests do not send any cookies.
We could change this with a "xhr.withCredentials" setting, but this does not work for all browsers afaik.
Alternatively, one could try to send the session id (and session name) via GET or POST.

Session id via GET -> problem.
PHP can be configured to accept this, and will correctly initialize the session.
Unfortunately, CiviCRM+Quickform does not so easily grok this cookie-less request on form submissions, at least for the petition form. I am still trying to figure out why.

The petition form (CRM_Campaign_Form_Petition_Signature.php) does something with $_SESSION btw.

Besides, I am not sure about the security implications of sending session id via GET. It is generally recommended not to do this.
Maybe this can be mitigated if I impose some restrictions, such as, one can never log in with a GET session.

--------------

An alternative would be to tunnel the requests in one way or another.

--------

Any thoughts?

donquixote · April 03, 2011, 12:06:33 pm

Interesting. It seems that jsonp requests do in fact send a COOKIE header.
The problem was/is that jQuery ajaxForm does not fully support jsonp. I'm on it.

donquixote · April 03, 2011, 12:25:02 pm

Next finding.
You can't have it all. Either jsonp or POST, not both.
Kind of obvious, considering how jsonp works.
http://www.markhneedham.com/blog/2009/08/27/jquery-post-jsonp-and-cross-domain-requests/

But how can we combine POST + cookies?
I guess we can't.
So I need to tweak or tunnel or wrap CiviCRM so it accepts cookies from GET.

xavier · April 04, 2011, 12:25:15 am

What if

1) you jsonp load the needed param, including the html for the form.
As you load it from the main petition site, it should set the cookie, isn't it ?

2) you ajax submit (using jquery form) that should have the cookie from the session from 1, isn't it?

lobo, is there an easy way to disable the qfKey control for a specific form ? Would make it easier to embed petition forms on other sites

X+

donquixote · April 04, 2011, 07:04:13 am

Quote

2) you ajax submit (using jquery form) that should have the cookie from the session from 1, isn't it?

Nope.
The browser does have the cookie (for the remote domain B). But it will not send the cookie with a POST request.

More precisely:
- The usual ajax xhr does never send cookies to remote sites, unless the cookies are enabled via the "xhr.withCredentials" setting, which is only available on some browsers.
- jsonp does send cookies, but it is not xhr but just a script tag with a url. Thus, it cannot send POST.

donquixote · April 04, 2011, 07:12:32 am

I tried something else:
1) Client sends the POST, without cookie, but with a random-generated key ("client_id").
2) Server generates another random key ("server_id"), and stores the POST data in the database, together with the two keys. Server sends a response with the server_id key.
3) Client sends a jsonp request without POST, but with the two keys, and with the cookies.
4) Server fetches the POST (if it is less than 3 minutes old) for the given keys, and executes the form.

Problem: CiviCRM does not eat the new POST values.
There is some point of time when CiviCRM / CiviCRM looks at $_POST and decides if it should do a form execution or not. When this choice has been made, there is no way to change it.
There is another point of time when my custom code looks at the two keys and sets the $_POST. At first I chose to do this in a Drupal page callback, later I tried hook_init(). Both was too late, apparently.

But then again, it's really hard to tell, because I cannot dpm() when not logged in. Need to work with watchdog or other tricks.

CiviCRM Community Forums (archive)

News:

Author Topic: xdomain petition form submit - issues with cookies / session (Read 1576 times)

donquixote

xdomain petition form submit - issues with cookies / session

donquixote

Re: xdomain petition form submit - issues with cookies / session

donquixote

Re: xdomain petition form submit - issues with cookies / session

xavier

Re: xdomain petition form submit - issues with cookies / session

donquixote

Re: xdomain petition form submit - issues with cookies / session

donquixote

Re: xdomain petition form submit - issues with cookies / session