I have a web app meant to be loaded inside an iframe on different hosts (let's say served from myiframe.com). In order to mantain session I use a cookie named 'session' that is set when the iframe's content is requested the first time, with a domain of myiframe.com.
Now let's say that host A (a.com) loads the iframe and therefore a session cookie is set with domain myiframe.com. If you navigate to host B (b.com) then the same session cookie is used. What I want is that sessions are independant from each other, that you can have a session in A and a different one in B. I.e. that the cookie that is set when requested from A is not used when the app is requested from B.
I think I can use different cookie names depending on the host and then validate the session by matching the appropiate cookie with the host's information, but I was wondering if I could do it somehow using 'set-cookie' header and cookie's domain field.
BTW I have no control over hosts or how they add the iframe, although they all do it the exact same way.
Edit: The request used for getting the iframe content contains more than enough information for reliably identifying the host. That's not an issue.
You can not set cookies for “other” domains, so your content loaded from myiframe.com won’t be able to set a cookie for either a.com or b.com
If you have a mechanism to determine where your content was embedded via iframe (the referrer would not really work for that, resp. is too unreliable), then you can use different session cookie names to get a different session “for” the iframed content running inside a.com and b.com.