MVC 3 Session Data and Internet Explorer P3P IFRAME Cookies

Internet Explorer IFRAME P3P Cookies

Debbie Stevens Wellbeing EventsDevelopment has been continuing over at the Debbie Stevens Wellbeing website.  Before the system was hosted in its own domain that looked like the main site created by Mistore in Brighton.  This was not the best way to go but the fastest to get the system online.  And finally we moved the booking system into the main site by calling the booking pages through <iframe> HTML structures.

All was fine except that in Internet Explorer the system would not work.  Where Firefox, Chrome and Safari were happy to display the event, venue and booking pages IE simply displayed an error page.  The cause was the session data being sent from one page to the next was being lost.  For some reason the session data cookies were being blocked by Internet Explorer.

Internet Explorer IFRAME cookies

By default Internet Explorer rejects cookies created in framesets or <iframe> because it treats them as non-trusted “third-party” artifacts.  You can see this happening in IE with the Privacy Eye icon appearing in the status bar at the bottom of the browser.  Or you can find it in Explorer 9 and above by clicking Tools->Safety->Webpage Privacy Policy.

Clicking on the settings button will reveal that like most users your Internet Explorer is set to a medium level of trust.

Platform for Privacy Preferences

From Internet Explorer 6 onwards support was added for the Platform for Privacy Preferences (P3P) project.  This project is designed to let websites express their privacy policies in machine and user readable form.  It means that browsers can decide if the site being visited is friendly or not.  Site owners use P3P to express their privacy policies and publicly declare how information collected during the web session will be used.  Development began in 2002 and ceased in 2006 due to criticisms and lack of support.

Microsoft is the only major vendor to have implemented the full P3P specification into its browser.

Handling P3P in ASP.NET MVC 3 applications

The easiest way to get sessions cookies through the Internet Explorer iframe cookie hoop is to add a compact policy header to your pages. Code like the following can be added to Global.asax:

protected void Application_BeginRequest(object sender, EventArgs e)
   HttpContext.Current.Response.AddHeader("p3p", "CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD
                                       IVAi IVDi CONi HIS OUR IND CNT\"");

This simple policy that fulfils the criteria needed to get the session and other variables through P3P checking.  For the full explanation of what you are saying in this compact header read Microsoft’s explanation of their implementation in Internet Explorer.

The Legal Implications

The code above is a quick fix and is provided for information only.  It is important to note that the P3P policy could have legal implications for your site.  DO NOT just slap the above code into place before thinking about what your site’s privacy policy actually is.   The following links are useful in this respect.


Be Sociable, Share!

    About Tony Brown

    Tony Brown is an IT solutions provider with over 20 years experience in all aspects of IT. Tony offers a personal, jargon free service for small and growing businesses who want to build great experience for their staff and customers. If you would like Tony help your program your business for success you can contact him via this website or call him on 07500 937385.


    4 comments on “MVC 3 Session Data and Internet Explorer P3P IFRAME Cookies

    1. Daniel on said:

      It works!!

    2. Thanks a lot.. Its working..

    Leave a Reply

    HTML tags are not allowed.