IE10, iframe, p3p and coldfusion session/cookie issue
Recently, I got an increased reporting of some of my customers that they cannot log in to one of my application or receive errors with sessions not being set properly. Further investigation revealed that those customers embedded parts of my application in an iframe (a common practice to embed parts of another website into another one).
While using iframe is completely valid and common practice and also has no issues with browsers like Chrome, Firefox and Safari it threw an error with any Internet Explorer browser. From the many results in the search engines and from Microsoft’s own bug tracking tool, I can see that I’m not the only one with this issue. According to Microsoft this is not a bug but a feature:
“Internet Explorer 6 and above implement advanced cookie filtering that is based on the Platform for Privacy Preferences (P3P) specification. By default, Internet Explorer 6 blocks third-party cookies that do not have a compact policy (a condensed computer-readable privacy statement) or third-party cookies that have a compact policy which specifies that personally identifiable information is used without your implicit consent.”
In short, this means that you need to deploy a P3P policy within your application as noted in their tech note.
Now, you can go on and read that article and get confused (at least I did) or you can simply accept the solution by setting the P3P header in your application. Doing so is simply done with:
[code]response.addHeader("P3P","CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"");[/code]
or with Coldfusion:
[code]<cfheader name="P3P" value="CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"">[/code]
Hope this helps.