sessions

Just curious - why not start the session in the main page instead of the iFrame?  IIRC the iFrame will see the session if you do it that way.

It's because we have a client portal that loads a unique sub domain based on the login details. So the iframe would load different domains. Then when the client does anything in the iframe the session/cookie won't create due to IE medium privacy settings.

Different subdomains will naturally set different cookies.  For example, www.domain.com and test.domain.com will not naturally share a session.  There is a way around this problem that might be worth a try.  See Cross-SubDomain Sessions in this article.
https://www.experts-exchange.com/articles/11909/PHP-Sessions-Simpler-Than-You-May-Think.html

I took that into consideration and I am using different names. So the portal uses say www.domaina.com where the iframe loads clientname.domainb.com

All the domains are different to minimize cross domain issues.

Try setting the cookie_domain in php.ini.  Let's say that your site is "example.com".  Try setting it to:
session.cookie_domain = ".example.com"

Notice that there is a leading "." before  the word example

All the domains are different...

You might want to consider writing your own session handler.  It's kind of swimming upstream against the design of HTTP protocols when you try to get a cookie from a different domain.  Sharing web sites like DoubleClick use their own session handlers to get around the same-domain rules of HTTP.  Some ideas here:
http://www.slideshare.net/VictorWelling/crossdomain-cookies

>> So the portal uses say www.domaina.com where the iframe loads clientname.domainb.com
In that case my suggestion will not help.  It is intended for subdomains within the org/company domain (test.domain.com,www.domain.com, etc).

It looks to be IE 11 issue only. Windows 10 and Edge does not have this issue. Setting a cookie domain I don't think will make a difference but to complicate it my program is encoded with ioncube so not feasible to re-compile for every domain. I think the cookie handler might be the only true solution.

IE 11 issue only

Are you saying this works in Safari, Chrome and Firefox?  Because if it does, then I am not understanding the question.

that is correct. It works in firefox, chrome and safari and works on IE 11 with privacy set to low but when privacy is set to medium it does not work in IE. It also works in Windows 10 Edge.

I'm running IE11 on Win 7 with privacy and security set to medium and I'm not having any problems with session cookies.  I don't have a site using iframes at the moment, just 'regular' pages.  Can you give us a link we can check?

Goto www.viewmyplans.com

Login as vpmdemo
Pass demo

Then click on the first link in the list middle of the screen. It will ask for a pass use demo

Enter a fake email then it will loop back to asking for the password because the session is not setting. Change your privacy to low and it works.

Correction log in as vmpdemo pass demo

That login is not working here on Firefox.  Thought I'd check it on Firefox before going to IE11.

Btw it's only with iframe...

Yes, it is working the way you described but works fine when it is not in an iframe.  I don't have time to check it out anymore right now but I'll check back later.

Hi Dave,

I made a new site to test. Let me know what you think. I am leading toward a Microsoft bug in IE.

1. visit http://www.viewmyplans.com

2. click on the login button

3. username: expertexchange

4. password: password

5. Click on the link "The password is password"

6. Type in the password "password" then enter in a fake email and click continue

With IE 11 using medium privacy in the cookies/sessions the session inside the iframe is not created and the program takes you back to the password prompt. If you change the privacy in sessions/cookies to low it works.

If you visit http://expertexchange.vmpclient.net and click on the link the session is created under medium privacy. It appears to only be through the iframe we have the issue.

I am looking for confirmation this is an IE bug. This works in firefox, chrome and safarie with no issues. It also works fine with Windows 10 Edge browser.

You appear to be correct.  I was hoping to use ieHTTPHeaders to verify that the session id was being set in the cookie but it won't work in IE11.

The big question is this a known bug or should I submit a bug to IE?

I don't know whether it is known or not.  I installed Fiddler2 on that computer.  The entire problem is getting http://expertexchange.vmpclient.net/ to accept the cookie in the first place.  Once it is accepted, it returns it reliably with every request whether it is in the iframe or not.

Dave,

It appears to be the fix. Can you try on your end with medium privacy?

Source: http://adamyoung.net/IE-Blocking-iFrame-Cookies

Thanks Dave,

Well, for those searching for this at least it's documented here now.

Thanks guys for helping work through this. Ray and Dave you always answer my questions and for that thank you!