Frames, ASPX Pages and Rejected Cookies

Posted on June 26, 2006  |  

Posted in Development

28 comments

If an ASP.NET page is embedded in a frameset or an <iframe>, strange things happen to cookies. By default, Internet Explorer rejects them because it treats them as non-trusted “third-party” artifacts. For example, if you try to issue an authentication cookie within a “framed” page, your login will keep running in circles.

Sauron Doesn’t Trust You By Default

In fact, you must’ve seen this before: the Eye of Sauron in the Internet Explorer status bar (lower right corner in the image below). If you click it, you arrive at this Privacy Report dialog:

Internet Explorer privacy report

If you further click “Settings…”, you get an “Internet Properties” dialog box. Note that this is happening at the Medium level of trust, which is what most users will most likely have by default. As somebody put it, If you’re paranoid enough to set this slider to High, you need to be using a different browser.

Interner Proprties Dialog Box

Searching for a solution to this problem, I came across this snippet of wisdom at the ASP.NET Forums:

Q: I have a frameset page which has an HTM extension, and I found out each frame it contains display a different session id on the first request. Why?

A:The reason is that your frameset page is an HTM file instead of an ASPX file.

In normal case, if the frameset is an aspx file, when you request the page, it will first send the request to the web server, receive an asp.net session cookie (which holds the session id), and then the browser will send individual requests for the frames, and each request will carry the same session id.

However, since your frameset page is an htm file, the first request comes back without any session cookie because the page was serviced by ASP and not ASP.NET. Then again your browser sends out individual requests for each frame. But this time each individual request will NOT carry any session id, and so each individual frame will create its own new session.

That’s why you will see different session ids in each frame. The last request that comes back will win by overwriting the cookie written by the previous two requests. If you do a refresh, you will see them having the same session id.

This behaviour is by-design, and the simple solution is to change your frameset page to .aspx.

The explanation makes sense. The solution doesn’t. Rarely would you <iframe> your own site. Most likely, you won’t be able to control who frames you, and won’t be able to insist they convert calling pages to ASP.NET.

P3P To The Rescue

Just when I was ready to give up, a SalesForce consultant directed me to a Knowledge Base article (of a sorts) which suggests a legitimate workaround. This article talks about the Privacy Preferences Project (P3P), a W3C brainchild.

In a nutshell, to be trusted, you need to publish a privacy policy (an XML file, of course) where you’d state what kind of information you collect about online visitors and whether you pass it on to all kinds of low-life peddlers. I think the only reason P3P has a place under the sun is that few people know about it (including myself) and even fewer take it seriously. There are enough privacy policy generators but no mechanism to police whether you adhere to the stated practices. This is not to say that we, obedient netizens, have a moral right to abuse it, but you know how it goes in the real world.

Compact Policies

Instead of creating and uploading privacy policies to your sites, you can serve a “compact policy,” i.e. a “p3p” HTTP header, e.g.: “IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT”. A policy generator can produce one instead of an XML file. In ASP.NET it’s a one-liner that you can put into your page base class or master page:

HttpContext.Current.Response.AddHeader (
   "p3p",
   "CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi 
        CONi HIS OUR IND CNT\"");

Just make sure to add this line early in the page life cycle. If your code redirects or throws an exception too early, the “p3p” header will be missing. As an alternative, you can get IIS to send this header at all times, but in this case the header will appear on everything: images, stylesheets, JavaScript files, etc. Those files don’t really need it. 

If you want to get into the nitty-gritty of P3P privacy policies, O’Reilly has a primer for you. If you want to ensure nobody frames your pages, there’s a simple JavaScript trick to address this.

28 comments

Robert Giordano
on July 12, 2006

Well I just spent all night trying to figure out how to get cookies to work in an iframe, using IE6. I want people to be able to use certain pages of my site inside an iframe on their site. So I tried everything, created a policy, uploaded all of the files, added the compact policy header to the pages that are made for the iframe and it still didn't work. I was really getting frustrated! (btw I'm doing this in PHP, not ASPX)

Then I figured it out! First, the login page where the cookies are created ALSO needs to have the compact policy header. Second, you must DELETE the OLD cookies and recreate them with the new login page. I'm guessing that IE6 stores policy info somewhere when it stores the cookie and if it isn't there to begin with, the cookie is useless. Anyway, it all seems to work now. Yay.


Milan Negovan
on July 24, 2006

The login page is where it bit me, too. If the login page doesn't have a policy, none of this works.


Daniel
on September 28, 2006

This was very helpful, thanks.. This is how to do it in php:

header('P3P:CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"');


Kim
on November 18, 2006

Hi.
I have the same problem as you do. But how do i implement header('P3P:CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"'); to my php script?

Where in the script does it go? and is there any code around it?

Also, if the site i want to implement have to run on .asp
can i use the same code there?


Milan Negovan
on November 20, 2006

Kim, see ASP AddHeader Method.


Andrea Edwards
on December 13, 2006

Thanks for your article. I was having exactly this problem with a login page inside an iframe going around in circles. I added the header and it works fine. Many thanks


Alexander Cabezas
on January 6, 2007

I have the same problem with an application in php, i've read all kinds of the articles and try many solutions like P3P policy but it doesn't work witn IE yet. Where i must place this code
header('P3P:CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"');
before or after of the session_start(); something like this?
header(...)
session_start();
?>
or
session_start();
header(...)
?>


Matthew
on August 1, 2007

I have pretty much the same problem as above... I have a page with an Iframe in it that leads to another page on a different domain with a shopping cart in it. It needs cookies enabled and IE7 defaults to not allowing them.

I have access to both domains so I was wondering exactly where in either of the page I put what code.

Doccument A contains an I Frame with doccument B in it. Doc A is a standard HTML Page and Doc B is a PHP page. I have enclosed a link to page A.

I'd be very grateful if anyone can give me exact instructions of where exactly to paste the above code and in to what doccument. Main A or Iframe B?

Many thanks


Vinod
on February 20, 2008

I am also having the same problem.

On one page on domain abc.com there is iframe and source of this frame is calls abc1.com. The page on abc1.com redirects another page on another domain abc3.com which requires cookies.

I have already used the given above. But nothing worked till now.

Please help me out to resolve this issue.


sahi
on November 10, 2008

Thank you for the p3p compact policy header code snippet. I added it to my base page and my virtual directory which is framed inside a target site works well while adding cookies. I was considering the workaround of setting the config file entry, for making my code work, but adding this header resolved the problem!!!


Sue
on January 2, 2009

I followed the instructions in the below link to setup a custom HTTP header in IIS and that solved the problem. Hope this helps.

http://www.prezzatech.com/kb/articles/kb-1025-ultimate_survey_software_iis_p3p_compact_header_policy.asp


Sean
on March 12, 2009

Fantastic you’re a life saver. This problem has been driving me mad


frank
on March 30, 2009

Thank you so much. This is so important to know and it saved me a lot of headache.


Alex
on April 6, 2009

Thank you very much. I spent all the day with this issue, and it worked fine!


Neeraj
on April 21, 2009

That was a life saver!! It's really unbelievable that IE tries to be so secure and then accepts such a simple workaround!


Maged A. Reda
on May 21, 2009

Damn, this post solved a huge problem for me. i have been pushing myself around for more than 3 hours till i found that the issue is not in my page.

to make a long way short for asp.net developers, just put the following code inside the page.load event ( you can put it once in the master page or repeat it in every page of your project)



HttpContext.Current.Response.AddHeader("p3p", "CP=\'IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\'")



Regards


Charlie
on June 8, 2009

Eye of Sauron indeed. I was about to throw myself to the Orks when I found this handy information. Many thanks.


David
on June 14, 2009

My company has a little widget that plugs into shopping carts.

I have verified that my P3P policy is in my HTTP header. It works for the first page/step of the shopping cart site, but as soon as there is personal information on the page (like name, phone, etc), IE blocks my cookie.

I have tried several different P3P policies and they all don't work on the same place. I have also use the IBM P3P tool to generate my own special P3P policy, but it still doesn't work.

We are running into this because we are 3rd party since we are in an iframe.

I am at a complete loss.

Any help is appreciated. Thank you.


Milan Negovan
on June 15, 2009

David, this is odd indeed. I have no idea either. Hope someone reading my blog can help.


Sakthivel
on June 17, 2009

Thanks for the article, This helped me to solve the same issue with the cookies.


Gourav
on August 20, 2009

This p3p information was very helpful and i found, that if we set it on httpheader of the page in IIS site(i.e. right click page >properties>httpheader (header name and header value)) solves it more efficiently , for me putting it inside the code did not work.
thanks once again


Grateful One
on November 13, 2009

Been fighting this with for several hours now until I came upon this post - fantastic - it's resolved my issue - many thanks!!


Miro
on November 27, 2009

I would like to thank you for hte page.
This helped me out. I was struggling with losing some session variables that I didnt realize were being showin in a frameset page.

Only wish I found your site 2 days earlier.

Many thanks.


autoteile-king
on December 21, 2009

hi all, i put the code in my http header as described but the third party cookies in my iframe are still blocked. any ideas?
david did you find a solution?
thanks
martin


Peter
on January 18, 2010

Hi, I have a web page A that contains an iFrame that gets a web page B. The cookies from page B is blocked. I've tried to set the p3p header on page A but that didn't work. So I guess the header needs to go in page B? But the problem is that I don't control page B and cannot add the header there. Any ideas anyone?
Cheers
/Peter


Rajeev
on August 18, 2010

Hi, I am getting problem with frame or iframe it not saving the cookies due to that reasion my "drtest.onlineopticalstore.com" site is not opening on frame , I had tryed to use p3p code but even there is same problem. I am using frame like :

<%@ Page Language="C#" AutoEventWireup="true" CodeFile="Default5.aspx.cs" Inherits="Default5" %> <%HttpContext.Current.Response.AddHeader("p3p", "CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\""); %>

But its not opening "http://drtest.onlineopticalstore.com" on fram please help me.

can you send any suggetion to my email id please it sill be greatfull to you. please

My email ID : sarajeevraj@gmail.com

Thank you.


Amit
on October 25, 2010

hello, where exactly and how do i enter this code?

thanks


A Tuner
on November 1, 2010

I've had an issue with content delivered by a CDN and not appearing in IE7 & 6 (intermittantly). It was driving me nuts. I tracked it down to this cookie issue and if browser privacy is set to low the problem goes away and all images and page components are showing.

I'm going to try adding this header to the CDN files and see if it fixes the issues. I don't know why a CDN insists on sending cookies with images and css files!