Cookie not being sent in iframe in IE9

26
votes

First of all, I've did some research before posting this question, so I know about the P3P Policy and the MSDN article about it. From what I understand, this policy mostly (if not only) applies to IE6. My specific problem is with IE9. Furthermore the first thing I did was set up a policy (and it works, as it shows a summary in IE's privacy report).

My test case is as follows: I have a page that contains an iframe. The iframe document sets a session cookie (the complete HTTP header: Set-Cookie:sid=2b5540e0e4f27075ca4709851700137d; expires=Tue, 28-Jun-2011 07:27:41 GMT; path=/), for the current domain, on the root path, that expires in a week. No problems there, this has been running in production (standalone, not in an iframe) for some time now.

The problem is this: the iframe document has some javascript that does some HTTP requests first (done by jQuery), then redirects the user (by changing the document.location property). The requests do send the cookies, but the redirect doesn't.

I've captured the network events in IE, and the only difference between the two type of requests that I can find, is the initiator: XHR is done by a JS Library, the other by click. However I really doubt that a click would not send the cookie.

I want to know why my cookies are not sent, the Google Analytics cookies are sent, so it should be possible.

UPDATE: It's definitely a privacy zone issue: when lowering the privacy bar setting in IE to all, it works. Every other setting fails.

I've created an exact test bed: This is the actual iframe that's being used. To test it, you have to fill in a Dutch postalcode (sorry ;)), the placeholder being used is fine: 1234 AB and 1. After submitting you get a modal, when it's done you should be redirected to a result page. In IE, the redirect shows exactly the same page that you started with (because of not setting the cookie).

4
internet-explorercookiesiframe
AS you may know, IE9 has even stricter privacy. It may be one or two things in your policy that is causing the cookie to be blocked. Would it be possible to share the policy file code that you're using?Mrchief
I had problems in all versions of IE recently until I sent the correct P3P headers. Same problem, wouldn't set a cookie in an iFrameCfreak
@Mrchief I thought about that too, so I've tried different policies: first what I think is accurate for the site (used the webshop template in IBM's policy editor), but to test I also tried policies from other sites, where this works.Peter Kruithof
Peter, did you come up with a solution for this issue?Mario
Actually it is resolved now, although I'm not sure what solved it. Maybe it was IE's cache, which can be very persistent, or something I've changed myself, I can't say. It just worked a couple of days later. I'm bugged that I didn't find the actual cause, but I'm so glad it finally works.Peter Kruithof

4 Answers

11
votes

Have you tried adding the the P3P header? It is not as difficult as that article says.

For example in PHP just add this header in the top of the php file:

<?php
    header('p3p: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"');
?>

This exact problem but in a diferent context worked here: Facebook app works on all browsers but not IE8

4
votes

If anyone is trying to solve this for a .NET Application

Add a P3P header as Carlos mentioned

HttpContext.Response.AddHeader("p3p", "CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"");

Edit: Even better, if you want to put this in Controller, simply add the following attribute

public class IEP3PHeaderAttribute : FilterAttribute, IResultFilter
{
    public void OnResultExecuting(ResultExecutingContext filterContext)
    {
        // check if the user is using a IE based browser, add a p3p header if true and hasn't already been added
        if (HttpContext.Current.Request.Browser.Browser.ToUpper().Contains("IE"))
        {
            if (System.Web.HttpContext.Current.Response.Headers["p3p"] == null)
            {
                HttpContext.Current.Response.AddHeader("p3p", "CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"");    
            }
        }
    }

    public void OnResultExecuted(ResultExecutedContext filterContext)
    {
    }
}

and then in your controller, e.g. HomeController

[IEP3PHeader]
public class HomeController
{
   public ActionResult DoSomething() {};
   public ActionResult DoSomethingElse() {};
}
0
votes

Is this about the sequence in which the cookies are generated - i.e. does the GA cookie exist before the iframe is loaded, but the session cookie set when it's loaded?

Where's the code?

by changing the document.location property

Are you assigning a value directly to the location object, or are you using location.replace() or location.href=...?

0
votes

Is this a correct reproduction of your test bed? http://www.coderun.com/ide/?w=EyTizeGw9kKgHjwNp3xiPw

I'm getting cookies back in IE9, what am I missing?