Ran into an interesting problem yesterday where a few months ago we helped a client redesign an ASP.NET web application to fit it into an iframe within their CMS rather than being a standalone site. Easy enough task. Testing is completed and site is rolled out.
Now, several months down the road after the application has been iframe’d and in production – one random feature of the application is unexpectedly breaking, but it doesn’t make any sense – the only way the behavior could possibly occur would be that an object retrieved from Session is coming back as null, which turned out to be the case. The browser was somehow losing the ASP.NET Session cookie. Furthermore, the feature was working fine in Firefox but not in Internet Explorer, very strange.
The problem was that Internet Explorer will not accept cookies from a page within an iframe where the domain name is different from the top level page. So, the url of the iframe’d page was www.clientsite1.com and the url of the page hosting the iframe was www.clientsite2.com.
To get around this, you need to add a P3P Compact Policy to your HTTP responses. P3P is a protocol that allows websites to pass information to the browser regarding their intent to use information collected from the user. Internet Explorer is the only browser that implements the protocol, and only using it for cookie blocking at that.
To add a P3P in ASP.NET that will allow your cookies to be accepted by the browser from a different domain from within an iframe, add this block of code to your Global.asax.
{
HttpContext.Current.Response.AddHeader("p3p","CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"");
}
