Safari 3rd party cookie iframe trick no longer working?

Just wanted to leave a simple working solution here that does not require user interaction.

As I stated in a post I made:

Basically all you need to do is load your page on top.location, create the session and redirect it back to facebook.

Add this code in the top of your index.php and set $page_url to your application final tab/app URL and you’ll see your application will work without any problem.

<?php    // START SAFARI SESSION FIX    session_start();    $page_url = "http://www.facebook.com/pages/.../...?sk=app_...";    if (isset($_GET["start_session"]))        die(header("Location:" . $page_url));    if (!isset($_GET["sid"]))        die(header("Location:?sid=" . session_id()));    $sid = session_id();    if (empty($sid) || $_GET["sid"] != $sid):?>   <script>        top.window.location="?start_session=true";    </script><?php    endif;    // END SAFARI SESSION FIX?>

Note: This was made for facebook, but it would actually work within any other similar situations.

Edit 20-Dec-2012 - Maintaining Signed Request:

The above code does not maintain the requests post data, and you would loose the signed_request, if your application relies on signed request feel free to try the following code:

Note: This is still being tested properly and may be less stable than the first version.Use at your own risk / Feedback is appreciated.

(Thanks to CBroe for pointing me into the right direction here allowing to improve the solution)

// Start Session Fixsession_start();$page_url = "http://www.facebook.com/pages/.../...?sk=app_...";if (isset($_GET["start_session"]))    die(header("Location:" . $page_url));$sid = session_id();if (!isset($_GET["sid"])){    if(isset($_POST["signed_request"]))       $_SESSION["signed_request"] = $_POST["signed_request"];    die(header("Location:?sid=" . $sid));}if (empty($sid) || $_GET["sid"] != $sid)    die('<script>top.window.location="?start_session=true";</script>');// End Session Fix

You said you were willing to have your users click a button before the content loads. My solution was to have a button open a new browser window. That window sets a cookie for my domain, refreshes the opener and then closes.

So your main script could look like:

<?php if(count($_COOKIE) > 0): ?><!--Main Content Stuff--><?php else: ?><a href="/safari_cookie_fix.php" target="_blank">Click here to load content</a><?php endif ?>

Then safari_cookie_fix.php looks like:

<?phpsetcookie("safari_test", "1");?><html>    <head>        <title>Safari Fix</title>        <script type="text/javascript" src="/libraries/prototype.min.js"></script>    </head>    <body>    <script type="text/javascript">    document.observe('dom:loaded', function(){        window.opener.location.reload();        window.close();    })    </script>    This window should close automatically    </body></html>

I tricked Safari with a .htaccess:

#http://www.w3.org/P3P/validator.html<IfModule mod_headers.c>Header set P3P "policyref=\"/w3c/p3p.xml\", CP=\"NOI DSP COR NID CUR ADM DEV OUR BUS\""Header set Set-Cookie "test_cookie=1"</IfModule>

And it stopped working for me too. All my apps are losing the session in Safari and are redirecting out of Facebook. As I'm in a hurry to fix those apps, I'm currently searching for a solution. I'll keep you posted.

Edit (2012-04-06): Apparently Apple "fixed" it with 5.1.4. I'm sure this is the reaction to the Google-thing: "An issue existed in the enforcement of its cookie policy. Third-party websites could set cookies if the "Block Cookies" preference in Safari was set to the default setting of "From third parties and advertisers". http://support.apple.com/kb/HT5190