Internet Explorer IFRAME P3P Cookies
Development has been continuing over at the Debbie Stevens Wellbeing website. Before the system was hosted in its own domain that looked like the main site created by Mistore in Brighton. This was not the best way to go but the fastest to get the system online. And finally we moved the booking system into the main site by calling the booking pages through <iframe> HTML structures.
All was fine except that in Internet Explorer the system would not work. Where Firefox, Chrome and Safari were happy to display the event, venue and booking pages IE simply displayed an error page. The cause was the session data being sent from one page to the next was being lost. For some reason the session data cookies were being blocked by Internet Explorer.
Internet Explorer IFRAME cookies
By default Internet Explorer rejects cookies created in framesets or <iframe> because it treats them as non-trusted “third-party” artifacts. You can see this happening in IE with the Privacy Eye icon appearing in the status bar at the bottom of the browser. Or you can find it in Explorer 9 and above by clicking Tools->Safety->Webpage Privacy Policy.
Clicking on the settings button will reveal that like most users your Internet Explorer is set to a medium level of trust.
Platform for Privacy Preferences
From Internet Explorer 6 onwards support was added for the Platform for Privacy Preferences (P3P) project. This project is designed to let websites express their privacy policies in machine and user readable form. It means that browsers can decide if the site being visited is friendly or not. Site owners use P3P to express their privacy policies and publicly declare how information collected during the web session will be used. Development began in 2002 and ceased in 2006 due to criticisms and lack of support.
Microsoft is the only major vendor to have implemented the full P3P specification into its browser.
Handling P3P in ASP.NET MVC 3 applications
The easiest way to get sessions cookies through the Internet Explorer iframe cookie hoop is to add a compact policy header to your pages. Code like the following can be added to Global.asax:
protected void Application_BeginRequest(object sender, EventArgs e)
{
HttpContext.Current.Response.AddHeader("p3p", "CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD
IVAi IVDi CONi HIS OUR IND CNT\"");
}
This simple policy that fulfils the criteria needed to get the session and other variables through P3P checking. For the full explanation of what you are saying in this compact header read Microsoft’s explanation of their implementation in Internet Explorer.
The Legal Implications
The code above is a quick fix and is provided for information only. It is important to note that the P3P policy could have legal implications for your site. DO NOT just slap the above code into place before thinking about what your site’s privacy policy actually is. The following links are useful in this respect.
- W3C Privacy Tutorial lists 6 easy steps to create your privacy policy
- This Stackoverflow.com article discusses a similar problem to the one above and it’s solution
The post MVC 3 Session Data and Internet Explorer P3P IFRAME Cookies appeared first on Quickstep IT.