Since your content is being loaded into an iframe from a remote domain, it is classed as a **third-party cookie**.

The vast majority of third-party cookies are provided by advertisers (these are usually marked as **tracking cookies** by anti-malware software) and many people consider them to be an invasion of privacy. Consequently, most browsers offer a facility to block third-party cookies, which is probably the cause of the issue you are encountering.

From new update of Chromium in February 4, 2020 (Chrome 80).
Cookies default to SameSite=Lax. According to this [link][1].

To fix this, you just need to mark your cookies are SameSite=None and Secure.

To understand what is Samesite cookies, please see this [document][2]


  [1]: https://www.chromestatus.com/feature/5088147346030592
  [2]: https://web.dev/samesite-cookies-explained

After reading through Facebook&#39;s docs on iframe canvas pages, I figured out how to set cookies in iframes with different domains. I created a proof of concept sinatra application here: https://github.com/agibralter/iframe-widget-test

There is more discussion on how Facebook does it here: https://stackoverflow.com/questions/4701922/how-does-facebook-set-cross-domain-cookies-for-iframes-on-canvas-pages

IE requires you to [set a P3P policy][1] before it will allow third-party frames to set cookies, under the default privacy settings.

Supposedly P3P allows the user to limit what information goes to what parties who promise to handle it in certain ways. In practice it&#39;s pretty much worthless as users can&#39;t really set any meaningful limitations on how they want information handled; in the end it&#39;s just a fairly uniform setting acting as a hoop that all third parties have to jump through, saying “I&#39;ll be nice with your personal information” even if they have no intention of doing so.

[1]: http://msdn.microsoft.com/en-us/library/ms537343%28VS.85%29.aspx


How can I set a Hibernate Parameter to &quot;null&quot;? Example:

    Query query = getSession().createQuery(&quot;from CountryDTO c where c.status = :status  and c.type =:type&quot;)
    .setParameter(&quot;status&quot;, status, Hibernate.STRING)
    .setParameter(&quot;type&quot;, type, Hibernate.STRING);

In my case, the status String can be null. I have debugged this and hibernate then generates an SQL string/query like this ....`status = null`... This however does not Work in MYSQL, as the correct SQL statement must be &quot;`status is null`&quot; (Mysql does not understand status=null and evaluates this to false so that no records will ever be returned for the query, according to the mysql docs i have read...) 

My Questions:

1. Why doesnt `Hibernate` translate a null string correctly to &quot;is null&quot; (and rather and wrongly creates &quot;=null&quot;)?

2. What is the best way to rewrite this query so that it is null-safe? With nullsafe I mean that in the case that the &quot;status&quot; String is null than it should create an &quot;is null&quot;?

Hibernate: How to set NULL query-parameter value with HQL?

In a recent [answer to a style question](https://stackoverflow.com/questions/127190/good-haskell-coding-style-of-if-else-control-block/2096144#2096144), I wrote

    main = untilM (isCorrect 42) (read `liftM` getLine)

and

    isCorrect num guess =
      case compare num guess of
        EQ -&gt; putStrLn &quot;You Win!&quot; &gt;&gt; return True
        ...

[Martijn](https://stackoverflow.com/users/17439/martijn) helpfully suggested alternatives:

    main = untilM (isCorrect 42) (read &lt;$&gt; getLine)

    EQ -&gt; True &lt;$ putStrLn &quot;You Win!&quot;

Which common patterns in Haskell code can be made clearer using abstractions from [Control.Applicative](http://www.haskell.org/ghc/docs/latest/html/libraries/base-4.2.0.0/Control-Applicative.html)? What are helpful rules of thumb to keep in mind for using Control.Applicative effectively?

How do you use Control.Applicative to write cleaner Haskell?

We have our site integrated as an iframe into another site that runs on a different domain. It seems that we cannot set cookies. Has anybody encountered this issue before? Any ideas?

Setting cookie in iframe - different Domain

<p>We have our site integrated as an iframe into another site that runs on a different domain. It seems that we cannot set cookies. Has anybody encountered this issue before? Any ideas?</p>


I want to implement a salt into my login system but am a bit confused on how this is supposed to work. I can&#39;t understand the logic behind it. I understand md5 is a one-way algorithm and all of the functions that I have come across seem to hash everything together. If this is the case, how does one get the password back out for comparison? My biggest question is, how is salting a users&#39; password safer than just hashing the password? If a database was ever to be compromised, the hash along with the salt is in the database. Isn&#39;t this all that a hacker would need?

I also found another post here on SO where another developer said :

&gt; &quot;Ensure your salt and algorithm are
&gt; stored **separately from** the database&quot;

I would like to store the salt in the database. Is this really a problem if I do?

I&#39;m looking for some help on understanding how this works and also what the best practice might be. Any help is greatly appreciated.


----------

EDIT:
I want to thank everyone for their responses and ideas. Even though I may be more confused now, it has certainly been a learning experience for me. Thanks again guys.

How do I implement salt into my login for passwords?

Currently Google requires you to create an API Key that is specific to the domain of where the map will be served from. How does Google enforce this? I want to do the same thing.

I expose an API for my service but want to allow clients to embed calls to the API via javascript and not just from the server. I could secure it with just a random token but of course this could be easily spoofed by anyone looking at the code on the client machine.

I always understood this concept to not be possible but somehow Google does a good job at enforcing it.

Edit - It sounds like Google really hasn&#39;t done anything amazing after all. Their API is most likely just for tracking and not really to guarantee that their API is used by the person with the key.

How does Google Maps secure their API Key? How to make something similar?

As I continue to build more and more websites and web applications I am often asked to store user&#39;s passwords in a way that they can be retrieved if/when the user has an issue (either to email a forgotten password link, walk them through over the phone, etc.)  When I can I fight bitterly against this practice and I do a lot of ‘extra’ programming to make password resets and administrative assistance possible without storing their actual password.

When I can’t fight it (or can’t win) then I always encode the password in some way so that it, at least, isn’t stored as plaintext in the database—though I am aware that if my DB gets hacked it wouldn&#39;t take much for the culprit to crack the passwords, so that makes me uncomfortable.

In a perfect world folks would update passwords frequently and not duplicate them across many different sites—unfortunately I know MANY people that have the same work/home/email/bank password, and have even freely given it to me when they need assistance.  I don’t want to be the one responsible for their financial demise if my DB security procedures fail for some reason.

Morally and ethically I feel responsible for protecting what can be, for some users, their livelihood even if they are treating it with much less respect.
I am certain that there are many avenues to approach and arguments to be made for salting hashes and different encoding options, but is there a single ‘best practice’ when you have to store them?  In almost all cases I am using PHP and MySQL if that makes any difference in the way I should handle the specifics.


**Additional Information for Bounty**

I want to clarify that I know this is not something you want to have to do and that in most cases refusal to do so is best.  I am, however, not looking for a lecture on the merits of taking this approach I am looking for the best steps to take if you do take this approach.

In a note below I made the point that websites geared largely toward the elderly, mentally challenged, or very young can become confusing for people when they are asked to perform a secure password recovery routine.  Though we may find it simple and mundane in those cases some users need the extra assistance of either having a service tech help them into the system or having it emailed/displayed directly to them.  

In such systems the attrition rate from these demographics could hobble the application if users were not given this level of access assistance, so please answer with such a setup in mind.

**Thanks to Everyone**

This has been a fun question with lots of debate and I have enjoyed it.  In the end I selected an answer that both retains password security (I will not have to keep plain text or recoverable passwords), but also makes it possible for the user base I specified to log into a system without the major drawbacks I have found from normal password recovery.

As always there were about 5 answers that I would like to have marked as correct for different reasons, but I had to choose the best one--all the rest got a +1.  Thanks everyone!

Also, thanks to everyone in the Stack community who voted for this question and/or marked it as a favorite.  I take hitting 100 up votes as a compliment and hope that this discussion has helped someone else with the same concern that I had.


How should I ethically approach user password storage for later plaintext retrieval?

What is the difference between a cer, pvk, and pfx file? Also, which files do I keep and which am I expected to give to my counter-parties?

What is the difference between a cer, pvk, and pfx file?

As many will know, one-way encryption is a handy way to encrypt user passwords in databases. That way, even the administrator of the database cannot know a user&#39;s password, but will have to take a password guess, encrypt that with the same algorithm and then compare the result with the encrypted password in the database. This means that the process of figuring out the password requires massive amounts of guesses and a lot of processing power.

Seeing that computers just keep getting faster and that mathematicians are still developing these algorithms, I&#39;m wondering which one is the most secure considering modern computing power and encryption techniques.

I&#39;ve been using MD5 almost exclusively for years now, and I&#39;m wondering if there&#39;s something more I should be doing. Should I be contemplating a different algorithm?

Another related question: How long should a field typically be for such an encrypted password? I must admit that I know virtually nothing about encryption, but I&#39;m assuming that an MD5 hash (as an example) can be longer and would presumably take more processing power to crack. Or does the length of the field not matter at all, provided that the encrypted password fits in it in the first place?

What is currently the most secure one-way encryption algorithm?

I want to call a parent window JavaScript function from an iframe.  

    &lt;script&gt;
        function abc()
        {
            alert(&quot;sss&quot;);
        }
    &lt;/script&gt;
    
    &lt;iframe id=&quot;myFrame&quot;&gt;
        &lt;a onclick=&quot;abc();&quot; href=&quot;#&quot;&gt;Call Me&lt;/a&gt;
    &lt;/iframe&gt;




Calling a parent window function from an iframe

I understand that it is not possible to tell what the user is doing inside an `iframe` if it is cross domain.  What I would like to do is track if the user clicked at all in the `iframe`.  I imagine a scenario where there is an invisible `div` on top of the `iframe` and the the `div` will just then pass the click event to the `iframe`.  

Is something like this possible?  If it is, then how would I go about it?  The `iframes` are ads, so I have no control over the tags that are used.

Detect Click into Iframe using JavaScript

Assuming I have no control over the content in the iframe, is there any way that I can detect a src change in it via the parent page? Some sort of onload maybe?

My last resort is to do a 1 second interval test if the iframe src is the same as it was before, but doing this hacky solution would suck.

I&#39;m using the jQuery library if it helps.

iFrame src change event detection?

How do you prevent Firefox and Safari from caching iframe content?

I have a simple webpage with an iframe to a page on a different site. Both the outer page and the inner page have HTTP response headers to prevent caching. When I click the &quot;back&quot; button in the browser, the outer page works properly, but no matter what, the browser always retrieves a cache of the iframed page. IE works just fine, but Firefox and Safari are giving me trouble.

My webpage looks something like this:

    &lt;html&gt;
      &lt;head&gt;&lt;!-- stuff --&gt;&lt;/head&gt;
    &lt;body&gt;
      &lt;!-- stuff --&gt;
      &lt;iframe src=&quot;webpage2.html?var=xxx&quot; /&gt;
      &lt;!-- stuff --&gt;
    &lt;/body&gt;
    &lt;/html&gt;

The &lt;code&gt;var&lt;/code&gt; variable always changes. Although the URL of the iframe has changed (and thus, the browser should be making a new request to that page), the browser just fetches the cached content.

I&#39;ve examined the HTTP requests and responses going back and forth, and I noticed that even if the outer page contains &lt;code&gt;&amp;lt;iframe src=&quot;webpage2.html?var=222&quot; /&amp;gt;&lt;/code&gt;, the browser will still fetch &lt;code&gt;webpage2.html?var=111&lt;/code&gt;.

Here&#39;s what I&#39;ve tried so far:

 - Changing iframe URL with random var value
 - Adding Expires, Cache-Control, and Pragma headers to outer webpage
 - Adding Expires, Cache-Control, and Pragma headers to inner webpage

I&#39;m unable to do any JavaScript tricks because I&#39;m blocked by the same-origin policy. 

I&#39;m running out of ideas. Does anyone know how to stop the browser from caching the iframed content?

Update
======

I installed Fiddler2 as Daniel suggested to perform another test, and unfortunately, I am still getting the same results.

This is the test I performed:

 1. Outer page generates random number using &lt;code&gt;Math.random()&lt;/code&gt; in JSP.
 2. Outer page displays a random number on the webpage.
 3. Outer page calls iframe, passing in a random number.
 4. Inner page displays a random number.

With this test, I&#39;m able to see exactly which pages are updating, and which pages are cached.

Visual Test
-----------

For a quick test, I load the page, navigate to another page, and then press &quot;back.&quot; Here are the results:

Original Page:

 - Outer Page: 0.21300034290246206
 - Inner Page: 0.21300034290246206

Leaving page, then hitting back:

 - Outer page: 0.4470929019483644
 - Inner page: 0.21300034290246206

This shows that the inner page is being cached, even though the outer page is calling it with a different GET parameter in the URL. For some reason, the browser is ignoring the fact that the iframe is requesting a new URL; it simply loads the old one.

Fiddler Test
------------

Sure enough, Fiddler confirms the same thing.

(I load the page.)

Outer page is called. HTML:

    0.21300034290246206
    &lt;iframe src=&quot;http://ipv4.fiddler:1416/page1.aspx?var=0.21300034290246206&quot; /&gt;

http://ipv4.fiddler:1416/page1.aspx?var=0.21300034290246206 is called.

(I navigate away from the page and then hit back.)

Outer page is called. HTML:

    0.4470929019483644
    &lt;iframe src=&quot;http://ipv4.fiddler:1416/page1.aspx?var=0.4470929019483644&quot; /&gt;


http://ipv4.fiddler:1416/page1.aspx?var=0.21300034290246206 is called.

Well, from this test, it looks as though the web browser isn&#39;t caching the page, but it&#39;s caching the URL of the iframe and then making a new request on that cached URL. However, I&#39;m still stumped as to how to solve this issue.

Does anyone have any ideas on how to stop the web browser from caching iframe URLs?

Preventing iframe caching in browser

How can I find out that my page is embedded as a frame to other site during page loading? I guess referrer request header can&#39;t help me here? Thanks. 

How to prevent my site page to be loaded via 3rd party site frame of iFrame

Is my function of creating a cookie correct? How do I delete the cookie at the beginning of my program? is there a simple coding?

    function createCookie(name,value,days)

&lt;!-- --&gt;

    function setCookie(c_name,value,1) {
      document.cookie = c_name + &quot;=&quot; +escape(value);
    }
    
    setCookie(&#39;cookie_name&#39;,mac);
    
    function eraseCookie(c_name) {
      createCookie(cookie_name,&quot;&quot;,-1);
    }

How to delete a cookie?

Can cookies set using HTTP be read using HTTPS?

Reading cookies via HTTPS that were set using HTTP

Session variables and cookies seem very similar to me. I understand the technical differences, but how do you decide when to use one vs. the other?

When should I use session variables instead of cookies?

I&#39;m wondering if I can delete all my website&#39;s cookies when a user click on logout, because I used this as function to delete cookies but it isn&#39;t work properly:

    setcookie(&quot;user&quot;,false);

Is there a way to delete one domain&#39;s cookies in PHP?


how to delete all cookies of my website in php

Anyone have any &quot;best practices&quot; tips for Rails and sessions? The default session type for Rails 3 is still CookieStore, right? I used SqlSessionStore for a while and it worked well, but I may move away from that in favor of CookieStore. 

Is it still not a good idea to use CookieStore for sensitive info, even with salted info or is that better stored in the DB?

Content Type	Original Author	Original Content on Stackoverflow
Question	user1946784	View Question on Stackoverflow
Solution 1 - Security	Quentin	View Answer on Stackoverflow
Solution 2 - Security	Hoang Trung	View Answer on Stackoverflow
Solution 3 - Security	Aaron Gibralter	View Answer on Stackoverflow
Solution 4 - Security	bobince	View Answer on Stackoverflow

Setting cookie in iframe - different Domain

Security Problem Overview

Security Solutions

Solution 1 - Security

Solution 2 - Security

Solution 3 - Security

Solution 4 - Security

How do you use Control.Applicative to write cleaner Haskell?

Hibernate: How to set NULL query-parameter value with HQL?

Attributions