Session lost in Iframe

Challenge:

I have one page called “Parent.aspx” which is hosted on parent domain let’s say : http://www.parent.com/parent.aspx and it contains child page “ChildPage.aspx” using IFRAME and hosted on another domain let’s say : http://www.child.com/childpage.aspx . Now if childPage is using session then it won’t work.
Why? Read What MS Says:
SYMPTOMS
If you implement a FRAMESET whose FRAMEs point to other Web sites on the networks of your partners or inside your network, but you use different top-level domain names, you may notice in Internet Explorer 6 that any cookies you try to set in those FRAMEs appear to be lost. This is most frequently experienced as a loss of session state in an Active Server Pages (ASP) or ASP.NET Web application. You try to access a variable in the Session object that you expect to exist, and a blank string is returned instead.
You also see this problem in a FRAMEs context if your Web pages alternate between the use of Domain Name System (DNS) names and the use of Internet Protocol (IP) addresses.
CAUSE
Internet Explorer 6 introduced support for the Platform for Privacy Preferences (P3P) Project. The P3P standard notes that if a FRAMESET or a parent window references another site inside a FRAME or inside a child window, the child site is considered third party content. Internet Explorer, which uses the default privacy setting of Medium, silently rejects cookies sent from third party sites.

Solution:

You can add a P3P compact policy header to your child content, and you can declare that no malicious actions are performed with the data of the user. If Internet Explorer detects a satisfactory policy, then Internet Explorer permits the cookie to be set.
Visit the following MSDN Web site for a complete list of satisfactory and unsatisfactory policy codes:
Privacy in Internet Explorer 6
http://msdn.microsoft.com/workshop/security/privacy/overview/privacyie6.asp (http://msdn.microsoft.com/workshop/security/privacy/overview/privacyie6.asp)
A simple compact policy that fulfills this criteria follows:
P3P: CP=”CAO PSA OUR”
This code sample shows that your site provides you access to your own contact information (CAO), that any analyzed data is only “pseudo-analyzed”, which means that the data is connected to your online persona and not to your physical identity (PSA), and that your data is not supplied to any outside agencies for those agencies to use (OUR).
Now, let’s see solution of it. There are many ways to solve it:
1.  Using Server-Side Code:
You can set this header if you use the Response.AddHeader method in an ASP page. In ASP.NET, you can use the Response.AppendHeader method
Source : http://petesbloggerama.blogspot.com/2007/08/aspnet-loss-of-session-cookies-with.html
[sourcecode language=”csharp”]
An easy fix is to add the header in Global.asax:
protected void Application_BeginRequest(object sender, EventArgs e)
{
HttpContext.Current.Response.AddHeader("p3p", "CP=\"CAO PSA OUR\"");
}
[/sourcecode]
2. You can use the IIS Management Snap-In (inetmgr) to add to a static file:
Follow these steps to add this header to a static file:

  1. Click Start, click Run, and then type inetmgr.
  2. In the left navigation page, click the appropriate file or directory in your Web site to which you want to add the header, right-click the file, and then click Properties.
  3. Click the HTTP Headers tab.
  4. In the Custom HTTP Headers group box, click Add.
  5. Type P3P for the header name, and then for the compact policy string, type CP=…, where “…” is the appropriate code for your compact policy.

Alternatively, Internet Explorer users can modify their privacy settings so that they are prompted to accept third party content. The following steps show how to modify the privacy settings:

  1. Run Internet Explorer.
  2. Click Tools, and then click Internet Options.
  3. Click the Privacy tab, and then click Advanced.
  4. Click to select the Override automatic cookie handling check box.
  5. To allow ASP and ASP.NET session cookies to be set, click to select the Always allow session cookies check box.
  6. To receive a prompt for any type of third party cookie, click Prompt in the Third-party Cookies list.

3. Use IBM’s P3P Editor[http://www.alphaworks.ibm.com/tech/p3peditor/] For more info follow nice articles given below:
http://everydayopenslikeaflower.blogspot.com/2009/08/how-to-create-p3p-policy-and-implement.html
http://www.knowledgegenes.com/home.aspx?kgid=9103&nid=52

References

http://support.microsoft.com/kb/323752/en-us
http://petesbloggerama.blogspot.com/2007/08/aspnet-loss-of-session-cookies-with.html
http://forum.developers.facebook.com/viewtopic.php?pid=204805 — Good Thread to Read
Happy IFraming! 🙂

11 Comments

  • Kiran,
    We have this problem, and have read through literally hundreds of sites and thousands of “solutions”, only to be met with this seemingly unsolvable problem. Though our content is coming from a Java server (Tomcat), it doesn’t really matter, because it is what IE sees rather than how it is generated, correct?
    We have an acceptable P3P compact policy header, and a matching and W3C compliant p3p.xml reference file. We issue the P3P header prior to the cookie. None of the P3P compact policy codes listed on the MSDN site are contained within our P3P policy. To complicate matters, we have another server issuing the exact same P3P header and tracking cookies, but IE DOES NOT reject cookies from this site, leading us to be relatively certain our P3P Compact Policy is, in fact, acceptable.
    We have done absolutely everything anyone and everyone on the internet says to do to solve the problem, but it absolutely refuses to comply. This is failing us, as expected, in IE6 and above.
    Clearly the answer is not ONLY to include a P3P compact policy header header. We include the P3P header in every piece of content delivered from the site. We are a SaaS provider, and so our clients choose how to embed our site within theirs. Therefore, we don’t have a choice to change how the content is delivered.
    This has become a “need urgent help” issue, and I’m reaching out to you to help us solve this problem.
    Thank You,
    Joseph Morgan
    Director of Technology and Operations
    Ignite Sales, Inc.

  • Thanks for this information. This solved a problem that I was having with sub sites.

  • I have a similar problem for chrome and firefox.There is no problem in IE

  • hi, really had it at this one, added logging and stepped through everything and still nothing untill this site. thank you very much for brining it to the point it reeeeally helped me a lot.
    Ian

  • Thanks a whole hell of a lot. This fixed a problem with running our web application through an iFrame.

Comments are closed.