IE9 Separate cookies for third party request

517 views Asked by At

Even though my P3P headers are correct, IE9 seems to hold a separate list for third party requests.

I've added the following P3P

header('P3P:CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR BUS IND UNI COM NAV INT", policyref="http://domain/w3c/p3p.xml"')

Of course with domain properly set. It's created by the IBM tool. Next to that I've created the p3p xml file and tested it with p3p validation.

Once I call a test file stating nothing more then

    <?php

    header ('P3P:CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR BUS IND UNI COM NAV INT", policyref="http://padrichem.ds1.nl.dev/w3c/p3p.xml"');

    session_start();

    var_dump($_COOKIE);

It says $_COOKIE is empty, refresh and it says $_COOKIE[PHPSESSID] = 'id'

Now I call the same file from a remote location within an iframe it says $_COOKIE is empty, refresh and it says $_COOKIE[PHPSESSID] = 'DIFFERENT id'

When I disable protected mode this isn't the case. Yet it also isn't the case on all domains.

On the harddrive I can only find the cookies set by the iFrame (third-party) call.

Does anyone have any idea why this would occur?

1

There are 1 answers

0
Wizact On

You issue is most probably because of how IE treats cookies in cross-zone scenarios:

Refer to the followings:

IE9 - asp.net cannot access cookie created for my domain by third party site
Beware Cookie Sharing in Cross-Zone Scenarios