How to Fetch JSESSIONID Cookie from iFrame and Pass it to Parent Window

Issue Description

We have a custom application within which we have integrated JasperReports Server using iframe.

Both the applications are on different domains.

User is logged in to JasperReports Server and JSESSIONID cookie is created.

We need to fetch this JSESSIONID from JasperReports Server and pass it to the application for futher usage within the same session.

Resolution

In most application servers default configuration, the HTTPOnly flag included in Set-Cookie HTTP response header to help prevent cross-site scripting attacks.

This flag prevents passing JSESSIONID cookie from iFrame into the parent window.

https://www.owasp.org/index.php/HttpOnly

As a solution, you can disable the flag. For example, for Tomcat it is done in the next way:

•  Locate Apache Tomcat application server context.xml file usually located in

  <tomcat>/conf/context.xml

• Edit the file by adding useHttpOnly="false" property:

  <Context useHttpOnly="false">

  ..................

  </Context>

• Restart Tomcat

After these steps, you should be able to retrieve iFrame embedded page cookie from the parent window using JavaScript :

window.frames[0].document.cookie

As a test, you create a sample HTML page:

<html>
  <head>
    <title></title>
      <script>
           function onMyFrameLoad() {
               alert(window.frames[0].document.cookie);
           };
         </script>
  </head>
  <body>
<iframe id="jrs_frame" src="http://localhost:8630/jasperserver-pro/flow.html?_flowId=searchFlow&standAlone=true&j_username=jasperadmin|organization_1&j_password=jasperadmin&decorate=no", width="1000px", height="600px" onload="onMyFrameLoad(this)"/>

<body>
</html>

Place the page in Tomcat and open it a browser

As a result, alert message displays cookies including JSESSIONID, please find attached printscreen

Ref. Case 01457000