Embedding an app into another app via Iframe requires cookies to be enabled

I embedded a Mendix application into another application and cannot see this application without having cookies enabled. However, I also want users who do not have it enabled to see the application. I have added the http header x-frame-option with my other application URL and changed the custom runtime setting com.mendix.core.SameSiteCookies to none. I am using Mendix 10.   Does anyone have an idea? 
2 answers

Hi Lara,

To allow users to view the Mendix application even when cookies are disabled, you need to handle cookie management properly.

  1. Configure X-Frame-Options Header:

    • Set the X-Frame-Options header to allow embedding the Mendix application in another application.
    • Use the value ALLOW-FROM <your_other_application_url> to specify the allowed origin (your other application's URL).
    • This will allow the Mendix application to be embedded in your other application's iframe.
  2. Adjust SameSite Cookies Setting:

    • In Mendix Runtime settings, set the custom setting com.mendix.core.SameSiteCookies to None.
    • This change will allow the Mendix application to set cookies without any restrictions.
  3. Cookie Handling in Browsers:

    • Note that some browsers may have stricter cookie policies, and the SameSite attribute may be set to Lax by default.
    • If you set the SameSite attribute to None, the browser may still require the Secure attribute to be set on the cookie. Ensure that your application is being served over HTTPS.
  4. Testing Without Cookies Enabled:

    • After making the changes, test the application with cookies disabled to verify that it functions correctly without any issues.
  5. Security Considerations:

    • Be aware that relaxing the SameSite attribute to None could potentially expose your application to cross-site request forgery (CSRF) attacks. Ensure you have appropriate security measures in place to prevent such attacks.
  6. Consider Other Embedding Options:

    • If cookie settings continue to cause issues, consider alternative embedding methods, such as CORS (Cross-Origin Resource Sharing) or direct API integration.
  7. Testing in Multiple Browsers:

    • Test the embedded Mendix application in multiple browsers to ensure consistent behavior across different environments.

Hi Bharathidasan S,

thanks for your detailed answer. Can you give me a hint about how I can implement step 3?
Do you think it could work like this:?


And how can I ensure that my application is served over https?


Thanks a lot,