Solved

IE 8 is not allowing users to login in iframe url

Posted on 2011-02-16
29
1,500 Views
Last Modified: 2012-05-11
Hi

I have an application that allow user to login using their user id and password. It works fine when i directly use my web app link. But when i use this inside an iframe, it wont work. Somthing like that:

Direct link: www.abc.com-------- Allow me to login successfully

But when i use www.myname.com having the following iframe in it. It's not allowing me to sign in.
<iframe id="abc" src="www.abc.com" width="250"></iframe>

Any help ?

Thanks
0
Comment
Question by:shwaqar82
  • 13
  • 12
  • 2
  • +2
29 Comments
 
LVL 4

Expert Comment

by:florjan
ID: 34908462
You should go to tools > internet options >  privacy move slider to medium and click ok (I belive it's enough but if not low is).
0
 

Author Comment

by:shwaqar82
ID: 34908508
this is could not be the solution im looking for. With this case all the user who are using my application need to do the same. Any expert on this issue plz ?

Thanks
0
 
LVL 14

Accepted Solution

by:
Designbyonyx earned 500 total points
ID: 34908560
the problem resides in the fact that IE puts a stricter security policy against iframes.  To overcome this, you need a proper p3p Policy.  Read about it here:

http://stackoverflow.com/questions/389456/cookie-blocked-not-saved-in-iframe-in-internet-explorer
0
 
LVL 4

Expert Comment

by:florjan
ID: 34908564
You cannot use iframe that requires login in IE if users do not accept third-party cookies. So you could either use a link to that page or move that page to your domain. Or tell users that your site requires policy that accepts third party cookies.
0
 
LVL 14

Expert Comment

by:Designbyonyx
ID: 34908605
It is worth noting that you can very easily create a p3p policy that could get you in some legal trouble.  You need to get a developer and a read the rules and guidelines very very carefully in order to keep your self out of court.
0
 
LVL 9

Expert Comment

by:gdupadhyay
ID: 34908646
0
 
LVL 14

Expert Comment

by:Designbyonyx
ID: 34908672
@gdupadhyay - Thanks for reposting ;)
0
 

Author Comment

by:shwaqar82
ID: 34908727
Hi

No worries. As both the sites owned by our company. I'm the developer and trying to help one of our client who dont want to use our link directly. Instead they want to add our link to their company's link as an iframe.

I have this solution but didn't try it:
HttpContext.Current.Response.AddHeader("p3p","CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"");

Reference:
http://adamyoung.net/IE-Blocking-iFrame-Cookies

Is that the above will also work for me if i add this to each page in my application?

One question before i proceed with this p3p solution. I'm not comfortable with that approach because, as i understand, it will allow ANY cookie to reach our site from our client and not just the session cookie. Is that right ?

Thanks
0
 

Author Comment

by:shwaqar82
ID: 34909065
why all of sudden all of you are quiet ? No one got an answer for me or everyone is out for lunch ?
0
 
LVL 20

Expert Comment

by:informaniac
ID: 34909083
document.domain = "www.abc.com";
0
 

Author Comment

by:shwaqar82
ID: 34909162
wow. im excited. can you please explain, what is dat for and how it will help me ?
0
 
LVL 14

Expert Comment

by:Designbyonyx
ID: 34910065
Really, everything I know about p3p comes from that link I posted.  You need to ask all the questions: what type of information am I collecting about users, how am I using that information, is it personally identifiable information or is it anonymous, etc.

When you say "allows any cookie to reach our site from our client" - I think this is worded kind of weird.  Basically, the p3p policy will allow the iframe to set cookies... period.  Think of it this way:

Site A wants to embed a page from site B.  Lets say that Site B is an advertising company.  Site B has billions of iframes on millions of websites all across the internet.  By default, IE prevents site B from setting cookies which could be used to track a user as he uses different sites on the internet.  Site B COULD set up an invalid p3p policy and successfully track people... but it would very quickly get shut down and tied up in a huge class action lawsuit.

I don't think that Site A has access to Site B's cookies, and vice versa.  Hope that helps.
0
 

Author Comment

by:shwaqar82
ID: 34913155
Well thanks for your help but i still didn't understand it perfectly. All i need is the way to allow user to login wit their username and password. this login information is in let say Site B. And site B is iframed in Site A. Now any step by step solution to it would be appreciated.

Thanks for your help in advance
0
 
LVL 14

Expert Comment

by:Designbyonyx
ID: 34916446
So the code you posted in your previous comment should work.  The important thing is, you have to build that p3p string using one of the policy generators.  Every policy is different, so you must answer some questions about how you intend to use visitor data, generate your policy code, and apply it to the header of EVERY page on the log-in site (Site B).  I don't really know how else to explain.  I am just regurgitating information from that link I gave you.  Please read that page 4-5 times (like I did), follow every link on that page, keep reading, and do it all over again.  It's kind of confusing at first, but it will eventually start to make sense.

If you still find yourself having trouble, it may be worth paying for a p3p policy and support.  
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:shwaqar82
ID: 34919668
Nice, on which server i should generate the p3p policy. One Site A ? which is iframing Site B. Or Site B which has login page? I'm still reading and trying to understand exactly what p3p does.

Thanks for your help
0
 
LVL 14

Assisted Solution

by:Designbyonyx
Designbyonyx earned 500 total points
ID: 34920868
You need the p3p policy on whichever site is going to load INSIDE the iframe... so in my example it would be Site B ... or in your case, the login site.

Here's another example:

So lets categorize all websites into 2 categories:

1) "Normal websites" which provide content to their visitors
2) "Advertising Websites" that want to track the browsing behaviors of visitors across the internet

In a not-so-ideal world, the Advertisers would embed an invisible iframe on EVERY website on the internet (they would probably even pay website owners to be able to do this).  This iframe would then set cookies that would follow the user around the internet.  The user could go to ebay, then wikipedia, then facebook, then zappos, and so forth.  The fact that the iframe is on EVERY site would allow the Advertisers to track the user as he visits different sites.  They would track what types of pages he views, what sites he visits, time spent on each page, etc.  They would then sell this information to other companies and use the information to display very targeted advertising.

Fortunately, the W3C has developed this Privacy Policy (p3p) which prevents iframes from setting cookies in this manner.  Unfortunately, advertisers have found other ways to track users across the internet :(  This is an ongoing Privacy issue that is under hot debate right now.  There is legislation being passed that will force advertisers to be more transparent and/or allow users to opt out of these cookies more easily.

You can read more about it here:

http://www.mediapost.com/publications/?fa=Articles.showArticle&art_aid=127641

I couldn't have found a better example.  Scroll to the bottom of that page and look at the advertisement in the lower right hand column.  That ad is being served via an iframe.  You could then visit a different site and see the SAME ad being delivered in the SAME iframe.  Depending on your browsers privacy settings and the p3p setting of the iframe... they could be setting cookies and tracking you across the internet.

And here is something that happened to me once.  One day I was on zappos looking at a very specific pair of shoes.  About 2 weeks later I went to a random blog, and there on the side of the blog was a Zappos ad for the SAME EXACT pair of shoes I was looking at.  Like I said, advertisers have found ways to track users, and it's a very hot debate right now.

Hope that helps.
0
 

Author Comment

by:shwaqar82
ID: 34921121
That make much more sense to me and it is clear to me than ever before. Now, im reading your initial post and trying to follow the link to create p3p policy. Few question regarding that:

1. In this line below:
    HttpContext.Current.Response.AddHeader("p3p","CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"");

What does this 3 letter word means: IDC, DSP, COR ...etc

2. My login site has registration forms that contains user detail(name, number address etc) in it. At some point it also allow user to enter credit card information to buy a product from us. Is that p3p policy can restrict advertisers(in my case client) to save credit card information.

Thanks for your help :)
0
 
LVL 14

Expert Comment

by:Designbyonyx
ID: 34922042
http://www.p3pwriter.com/LRN_111.asp

Again, I followed the links from that url I keep referencing.  All of these questions you are asking... all I am doing is going to that link and reading, clicking the links, reading some more, clicking more links, reading... at some point you got to take off the floaties and swim my friend.  If you have any more questions, please go here and read until your eyes hurt and your brain explodes.
0
 

Author Comment

by:shwaqar82
ID: 34956252
can i use the below line in global.ascx file, instead of applying it on each page.

 HttpContext.Current.Response.AddHeader("p3p","CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"");

0
 
LVL 14

Expert Comment

by:Designbyonyx
ID: 34956405
I am not going to evaluate the actual permission codes you used, but with .NET you can most certainly update the Global.asax.cs file in the App_Code directory.  That should work for every request in your application.
0
 

Author Comment

by:shwaqar82
ID: 34960749
hmm.. all im asking is if i add compact policy in global.asax.vb file. Will it work for each page in my application. Somthing like that:

protected void Application_BeginRequest(Object sender, EventArgs e)
{
    HttpContext.Current.Response.AddHeader("p3p", "CP=\"CAO PSA OUR\"");
}

I believe Application begin request runs on each time the user request for a page? Guide me what is the right event to add this header.

Thanks
 
0
 
LVL 14

Expert Comment

by:Designbyonyx
ID: 34961760
I have to ask... are you a .NET developer?  You are referencing a VB file (global.asax.vb) but you provided C# code.  I don't know which language you are using, and I can't sit here and write everything for you.  I feel like I have held your hand through this entire question.  I will give you one last resource.  From there, you are on your own.  Sorry dude, but at some point you have to try figure things out on your own.

http://archive.devnewz.com/devnewz-3-20070125ImplementingPICSandP3PinASPNETHeaders.html
0
 

Author Comment

by:shwaqar82
ID: 34962545
well, what do you think. i'm reading all the resource you are providing me. im not famaliar with this p3p editor and dont get clue how to create that fits my need. We spent 3 days togather and in almost all of your post, you are keep on saying somthing that sounds im not working on it. im a .net developer and the code i give you is in vb.net but i found an article that says you can put you p3p header in global.asax.cs file. I know how to convert cs to vb. But my main concern was to get an idea if it is safe to do so. But you didn't answer me for what i asked you.

in the mean time i also develop a small html code that works for me but not really working on testing server.
0
 
LVL 14

Expert Comment

by:Designbyonyx
ID: 34962928
Sorry man, I don't mean to ridicule and did not mean to come off as rude.  About a year ago, I was in the same position as you... and after some googling, I found that url I keep referencing, and using the information provided there I was able to solve my problem.  So I am having a hard time spending 3 days trying to help you.  I feel like I have given you everything you need.  All I am trying to say is that you must use those problem solving skills you have developed over the years and figure out how to get this working for your application.

For my application, I was working in PHP.  I have not done this in .NET, but it should be pretty straight forward.  I cannot take the time to create a test application to test this out in .NET.  But I can tell you that you are on the right path.  You should use the "Application Begin Request" event to add the p3p header to EVERY response coming from your application.  You can do this in the Global.asax file.

To test this, I would use an ASPX page (not HTML) and use a Firefox Plugin like Tamper Data to view the response headers.  Does that help?
0
 

Author Comment

by:shwaqar82
ID: 34963027
Thanks man, i really appreciate your encouragement. But a good news for me. I tried to add the above mentioned p3p in IIS HTTP Headers. Its the same as if you add it in individual page or in global.asax.vb file. But does not work for me. Let me try few more things.
0
 

Author Comment

by:shwaqar82
ID: 34963244
Hey Big Man

It works when i add this in global.asax.vb but not when i add it in IIS HTTP Headers. Sounds wierd isn't it? Now the only thing that i need to make sure from here is not to allow our client to access user information for their purpose. And for that i need to pass only those parameters that establish the connection between third party conent and paretn content. Means only minimal access that allow the iframe url to work. Any expert advise on that? Conviencing my manager to use this way is another big issue :)

Thanks
0
 
LVL 14

Expert Comment

by:Designbyonyx
ID: 34964327
Glad you are getting it working.

If it were me, I would shell out the $39.00 at that p3p resource I gave you earlier.  They will ask you about 30-50 questions and generate a p3p policy for you.  They will also be able to answer any questions about the specifics of your p3p policy a lot better than I could.

In terms of convincing your boss, you simply have to tell him "it's the right thing to do if we want to avoid a law suit"
0
 
LVL 14

Expert Comment

by:Designbyonyx
ID: 34964371
Be sure check out what you get if you use that generator.  Well worth the $39.00 in my opinion.  I wish I knew about this company last year :/

https://p3pedit.com/what_get.php
0
 

Author Comment

by:shwaqar82
ID: 34964967
Nah, i will identify myself but its nice to know about this site. You are a great help and indeed a knowledgeable person. I really appreciate your help.


Thanks alot!!!
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

I annotated my article on ransomware somewhat extensively, but I keep adding new references and wanted to put a link to the reference library.  Despite all the reference tools I have on hand, it was not easy to find a way to do this easily. I finall…
This is a PowerShell web interface I use to manage some task as a network administrator. Clicking an action button on the left frame will display a form in the middle frame to input some data in textboxes, process this data in PowerShell and display…
In this tutorial viewers will learn how to embed an audio file in a webpage using HTML5. Ensure your DOCTYPE declaration is set to HTML5: : The declaration should display (CODE) HTML5 is supported by the most recent versions of all major browsers…
HTML5 has deprecated a few of the older ways of showing media as well as offering up a new way to create games and animations. Audio, video, and canvas are just a few of the adjustments made between XHTML and HTML5. As we learned in our last micr…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now