Even though my P3P headers are correct, IE9 seems to hold a separate list for third party requests.
I've added the following P3P
header('P3P:CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR BUS IND UNI COM NAV INT", policyref="http://domain/w3c/p3p.xml"')
Of course with domain properly set. It's created by the IBM tool. Next to that I've created the p3p xml file and tested it with p3p validation.
Once I call a test file stating nothing more then
<?php
header ('P3P:CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR BUS IND UNI COM NAV INT", policyref="http://padrichem.ds1.nl.dev/w3c/p3p.xml"');
session_start();
var_dump($_COOKIE);
It says $_COOKIE is empty, refresh and it says $_COOKIE[PHPSESSID] = 'id'
Now I call the same file from a remote location within an iframe it says $_COOKIE is empty, refresh and it says $_COOKIE[PHPSESSID] = 'DIFFERENT id'
When I disable protected mode this isn't the case. Yet it also isn't the case on all domains.
On the harddrive I can only find the cookies set by the iFrame (third-party) call.
Does anyone have any idea why this would occur?
You issue is most probably because of how IE treats cookies in cross-zone scenarios:
Refer to the followings:
IE9 - asp.net cannot access cookie created for my domain by third party site
Beware Cookie Sharing in Cross-Zone Scenarios