Link to home
Start Free TrialLog in
Avatar of shwaqar82

asked on

IE 8 is not allowing users to login in iframe url


I have an application that allow user to login using their user id and password. It works fine when i directly use my web app link. But when i use this inside an iframe, it wont work. Somthing like that:

Direct link: Allow me to login successfully

But when i use having the following iframe in it. It's not allowing me to sign in.
<iframe id="abc" src="" width="250"></iframe>

Any help ?

Avatar of florjan

You should go to tools > internet options >  privacy move slider to medium and click ok (I belive it's enough but if not low is).
Avatar of shwaqar82


this is could not be the solution im looking for. With this case all the user who are using my application need to do the same. Any expert on this issue plz ?

Avatar of Designbyonyx
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
You cannot use iframe that requires login in IE if users do not accept third-party cookies. So you could either use a link to that page or move that page to your domain. Or tell users that your site requires policy that accepts third party cookies.
It is worth noting that you can very easily create a p3p policy that could get you in some legal trouble.  You need to get a developer and a read the rules and guidelines very very carefully in order to keep your self out of court.
@gdupadhyay - Thanks for reposting ;)

No worries. As both the sites owned by our company. I'm the developer and trying to help one of our client who dont want to use our link directly. Instead they want to add our link to their company's link as an iframe.

I have this solution but didn't try it:
HttpContext.Current.Response.AddHeader("p3p","CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"");


Is that the above will also work for me if i add this to each page in my application?

One question before i proceed with this p3p solution. I'm not comfortable with that approach because, as i understand, it will allow ANY cookie to reach our site from our client and not just the session cookie. Is that right ?

why all of sudden all of you are quiet ? No one got an answer for me or everyone is out for lunch ?
Avatar of Obadiah Christopher
document.domain = "";
wow. im excited. can you please explain, what is dat for and how it will help me ?
Really, everything I know about p3p comes from that link I posted.  You need to ask all the questions: what type of information am I collecting about users, how am I using that information, is it personally identifiable information or is it anonymous, etc.

When you say "allows any cookie to reach our site from our client" - I think this is worded kind of weird.  Basically, the p3p policy will allow the iframe to set cookies... period.  Think of it this way:

Site A wants to embed a page from site B.  Lets say that Site B is an advertising company.  Site B has billions of iframes on millions of websites all across the internet.  By default, IE prevents site B from setting cookies which could be used to track a user as he uses different sites on the internet.  Site B COULD set up an invalid p3p policy and successfully track people... but it would very quickly get shut down and tied up in a huge class action lawsuit.

I don't think that Site A has access to Site B's cookies, and vice versa.  Hope that helps.
Well thanks for your help but i still didn't understand it perfectly. All i need is the way to allow user to login wit their username and password. this login information is in let say Site B. And site B is iframed in Site A. Now any step by step solution to it would be appreciated.

Thanks for your help in advance
So the code you posted in your previous comment should work.  The important thing is, you have to build that p3p string using one of the policy generators.  Every policy is different, so you must answer some questions about how you intend to use visitor data, generate your policy code, and apply it to the header of EVERY page on the log-in site (Site B).  I don't really know how else to explain.  I am just regurgitating information from that link I gave you.  Please read that page 4-5 times (like I did), follow every link on that page, keep reading, and do it all over again.  It's kind of confusing at first, but it will eventually start to make sense.

If you still find yourself having trouble, it may be worth paying for a p3p policy and support.  
Nice, on which server i should generate the p3p policy. One Site A ? which is iframing Site B. Or Site B which has login page? I'm still reading and trying to understand exactly what p3p does.

Thanks for your help
Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
That make much more sense to me and it is clear to me than ever before. Now, im reading your initial post and trying to follow the link to create p3p policy. Few question regarding that:

1. In this line below:
    HttpContext.Current.Response.AddHeader("p3p","CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"");

What does this 3 letter word means: IDC, DSP, COR ...etc

2. My login site has registration forms that contains user detail(name, number address etc) in it. At some point it also allow user to enter credit card information to buy a product from us. Is that p3p policy can restrict advertisers(in my case client) to save credit card information.

Thanks for your help :)

Again, I followed the links from that url I keep referencing.  All of these questions you are asking... all I am doing is going to that link and reading, clicking the links, reading some more, clicking more links, reading... at some point you got to take off the floaties and swim my friend.  If you have any more questions, please go here and read until your eyes hurt and your brain explodes.
can i use the below line in global.ascx file, instead of applying it on each page.

 HttpContext.Current.Response.AddHeader("p3p","CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"");

I am not going to evaluate the actual permission codes you used, but with .NET you can most certainly update the Global.asax.cs file in the App_Code directory.  That should work for every request in your application.
hmm.. all im asking is if i add compact policy in global.asax.vb file. Will it work for each page in my application. Somthing like that:

protected void Application_BeginRequest(Object sender, EventArgs e)
    HttpContext.Current.Response.AddHeader("p3p", "CP=\"CAO PSA OUR\"");

I believe Application begin request runs on each time the user request for a page? Guide me what is the right event to add this header.

I have to ask... are you a .NET developer?  You are referencing a VB file (global.asax.vb) but you provided C# code.  I don't know which language you are using, and I can't sit here and write everything for you.  I feel like I have held your hand through this entire question.  I will give you one last resource.  From there, you are on your own.  Sorry dude, but at some point you have to try figure things out on your own.
well, what do you think. i'm reading all the resource you are providing me. im not famaliar with this p3p editor and dont get clue how to create that fits my need. We spent 3 days togather and in almost all of your post, you are keep on saying somthing that sounds im not working on it. im a .net developer and the code i give you is in but i found an article that says you can put you p3p header in global.asax.cs file. I know how to convert cs to vb. But my main concern was to get an idea if it is safe to do so. But you didn't answer me for what i asked you.

in the mean time i also develop a small html code that works for me but not really working on testing server.
Sorry man, I don't mean to ridicule and did not mean to come off as rude.  About a year ago, I was in the same position as you... and after some googling, I found that url I keep referencing, and using the information provided there I was able to solve my problem.  So I am having a hard time spending 3 days trying to help you.  I feel like I have given you everything you need.  All I am trying to say is that you must use those problem solving skills you have developed over the years and figure out how to get this working for your application.

For my application, I was working in PHP.  I have not done this in .NET, but it should be pretty straight forward.  I cannot take the time to create a test application to test this out in .NET.  But I can tell you that you are on the right path.  You should use the "Application Begin Request" event to add the p3p header to EVERY response coming from your application.  You can do this in the Global.asax file.

To test this, I would use an ASPX page (not HTML) and use a Firefox Plugin like Tamper Data to view the response headers.  Does that help?
Thanks man, i really appreciate your encouragement. But a good news for me. I tried to add the above mentioned p3p in IIS HTTP Headers. Its the same as if you add it in individual page or in global.asax.vb file. But does not work for me. Let me try few more things.
Hey Big Man

It works when i add this in global.asax.vb but not when i add it in IIS HTTP Headers. Sounds wierd isn't it? Now the only thing that i need to make sure from here is not to allow our client to access user information for their purpose. And for that i need to pass only those parameters that establish the connection between third party conent and paretn content. Means only minimal access that allow the iframe url to work. Any expert advise on that? Conviencing my manager to use this way is another big issue :)

Glad you are getting it working.

If it were me, I would shell out the $39.00 at that p3p resource I gave you earlier.  They will ask you about 30-50 questions and generate a p3p policy for you.  They will also be able to answer any questions about the specifics of your p3p policy a lot better than I could.

In terms of convincing your boss, you simply have to tell him "it's the right thing to do if we want to avoid a law suit"
Be sure check out what you get if you use that generator.  Well worth the $39.00 in my opinion.  I wish I knew about this company last year :/
Nah, i will identify myself but its nice to know about this site. You are a great help and indeed a knowledgeable person. I really appreciate your help.

Thanks alot!!!