[thelist] P3P, thrid-party cookies, and iframes

Bill Moseley moseley at hank.org
Sun Mar 28 20:53:32 CDT 2010 

I have partner site that wishes to embed my site inside an iframe.  The
problem is my site requires cookies (have to log into my site) and IE's
default setting does not allow third-party cookies.

As a result we have added session ids to all links and accept a session id
in the query parameters.  I'm not a fan of doing this for security reasons.
 Too easy to copy-n-paste URLs or bookmark URLs with the session id that are
not valid very long[1].

Anyone have a solution for this?  That is, get IE to accept the third-party
cookies?

I've added P3P headers to my responses.  I've tried these two, which were
examples on sites about this issue:

CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"

But, IE still does not set or return the cookies.  If I set the privacy
setting to "Low" then cookies are allowed and the iframe'd site works.

I also tried adding the /w3c/p3p.xml to point to our privacy.xml page.  And
indeed when I click on "Summary" for the page in IE's Privacy Report IE will
fetch
the two XML files and display the privacy summary.  (On that page I have the
default "Compare cookies' Privacy Policy to my settings" checked.

My guess is my policy.xml file is not setup correctly to allow the cookies,
but on the other hand I don't see IE request those files unless that
"Summary" policy report is requested.  So, maybe it's just the P3P header
that isn't correct.

Anyone got this working?

BTW -- is an iframe the only solution to embed the site in a page with IE?
 I know <object> works with other browsers.



[1] Another issue with this is we have had problems where users will have
multiple windows open resulting in different session ids -- then things like
javascript "Your session is about to time out!" timers can result in
in-validating a session id since they pass the session ID in the url,
resulting in logging the user out in the other window by replacing the
session id in the cookies.


-- 
Bill Moseley
moseley at hank.org

More information about the thelist mailing list