Hi, mrochek,

You said, "I have tried to read the $_COOKIE['memberID'] cookie as a test, but it does not seem to be accessible from the iframe." Is the document src for the iframe, rooted in your Una website? In other words, is the iframe src something like: 

src="https://{your.una.domain}/some/path/to/some-document.php"

or 

src="relative_path/to/some-document.php"

If YES, then try the sandbox > allow-same-orgin attribute in the iframe, like so:

sandbox="allow-same-origin"

You can string other sandbox attributes together with a space, to allow even more access from the iframe, e.g.:

sandbox="allow-same-origin allow-scripts"

Then from the iframe'd document, try window.parent.document.cookie to set or get non-HTTPOnly cookies. 

ASIDE: Are those cookies HTTPOnly? If so, this may be the problem. I am not that far along in my UNA build process to know. Is the domain you are accessing a subdomain? That could be a problem, too (different "origin"), depending how the subdomain is set up.

Otherwise, if NO or the cookies you wish the iframe'd document to access are HTTPOnly cookies, then that sandbox attribute will not help. You are not meant to be able to check cookies from the framed website in the parent document, nor parent cookes from the iframe'd website, if either of these situations apply. Possible solutions for the not-same-origin situation include the following.

I apologize, but I am not clear what you are pulling into your iframe—the header or footer files from your same site (and not a subdomain)? If so, I believe the above sandbox should work. Otherwise, see also other potential fixes, below.

If you control the site with the other document that does not have the same origin (i.e., another domain, including a subdomain of your una site), then:

1) you can put the following in the php headers of the pages or scripts you wish to access from your una site:

header("Access-Control-Allow-Origin: https://your.una.domain");

OR 

2) inside your .htaccess file of the other site, add this line:

Header set Access-Control-Allow-Origin https://your.una.domain

I don't think I would do both. Test one or the other.

More Troubleshooting. If you control the site with the other document, or if you are still having problems: you might test an XMLHttpRequest to the domain of the other page, whereby a CORS "cross-origin request," Origin: https://your.una.domain header will be sent to the server. The server will respond if authentication is needed, if the request is denied, or if you're all clear. It might send back an Access-Control-Allow-Origin:* which means your site (or any site) can access the called script or page, or it may specify your una site domain explicitly. (I'm not positive if this, alone, will help the other page read your una site domain cookies. Take a look at the return headers in your browser's developer/web inspector app; this will tell you how the contacted server considers your request. 

Continuing that line of troubleshooting, do the reverse (XMLHttpRequest) from the other page to your una site domain page, for example, and see what your site is sending in the way of headers to the framed page. It may be your una site is the one that needs to implement (1) or (2) above to allow the iframe'd site access to your domain.

HTH