sessions

When I set a session in an iFrame with IE 11 the cookie will be blocked under the medium privacy settings. If I set that to low the cookie is set in the iframe with no issues. How do I get php to set the session/cookie to be in compliance with IE 11 medium privacy policy?
LVL 7
Robert SaylorSenior DeveloperAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ray PaseurCommented:
Just curious - why not start the session in the main page instead of the iFrame?  IIRC the iFrame will see the session if you do it that way.
Robert SaylorSenior DeveloperAuthor Commented:
It's because we have a client portal that loads a unique sub domain based on the login details. So the iframe would load different domains. Then when the client does anything in the iframe the session/cookie won't create due to IE medium privacy settings.
Ray PaseurCommented:
Different subdomains will naturally set different cookies.  For example, www.domain.com and test.domain.com will not naturally share a session.  There is a way around this problem that might be worth a try.  See Cross-SubDomain Sessions in this article.
http://www.experts-exchange.com/articles/11909/PHP-Sessions-Simpler-Than-You-May-Think.html
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

Robert SaylorSenior DeveloperAuthor Commented:
I took that into consideration and I am using different names. So the portal uses say www.domaina.com where the iframe loads clientname.domainb.com

All the domains are different to minimize cross domain issues.
hieloCommented:
Try setting the cookie_domain in php.ini.  Let's say that your site is "example.com".  Try setting it to:
session.cookie_domain = ".example.com"

Notice that there is a leading "." before  the word example
Ray PaseurCommented:
All the domains are different...
You might want to consider writing your own session handler.  It's kind of swimming upstream against the design of HTTP protocols when you try to get a cookie from a different domain.  Sharing web sites like DoubleClick use their own session handlers to get around the same-domain rules of HTTP.  Some ideas here:
http://www.slideshare.net/VictorWelling/crossdomain-cookies
hieloCommented:
>> So the portal uses say www.domaina.com where the iframe loads clientname.domainb.com
In that case my suggestion will not help.  It is intended for subdomains within the org/company domain (test.domain.com,www.domain.com, etc).
Robert SaylorSenior DeveloperAuthor Commented:
It looks to be IE 11 issue only. Windows 10 and Edge does not have this issue. Setting a cookie domain I don't think will make a difference but to complicate it my program is encoded with ioncube so not feasible to re-compile for every domain. I think the cookie handler might be the only true solution.
Ray PaseurCommented:
IE 11 issue only
Are you saying this works in Safari, Chrome and Firefox?  Because if it does, then I am not understanding the question.
Robert SaylorSenior DeveloperAuthor Commented:
that is correct. It works in firefox, chrome and safari and works on IE 11 with privacy set to low but when privacy is set to medium it does not work in IE. It also works in Windows 10 Edge.
Dave BaldwinFixer of ProblemsCommented:
I'm running IE11 on Win 7 with privacy and security set to medium and I'm not having any problems with session cookies.  I don't have a site using iframes at the moment, just 'regular' pages.  Can you give us a link we can check?
Robert SaylorSenior DeveloperAuthor Commented:
Goto www.viewmyplans.com

Login as vpmdemo
Pass demo

Then click on the first link in the list middle of the screen. It will ask for a pass use demo

Enter a fake email then it will loop back to asking for the password because the session is not setting. Change your privacy to low and it works.
Robert SaylorSenior DeveloperAuthor Commented:
Correction log in as vmpdemo pass demo
Dave BaldwinFixer of ProblemsCommented:
That login is not working here on Firefox.  Thought I'd check it on Firefox before going to IE11.
Robert SaylorSenior DeveloperAuthor Commented:
Btw it's only with iframe...
Dave BaldwinFixer of ProblemsCommented:
Yes, it is working the way you described but works fine when it is not in an iframe.  I don't have time to check it out anymore right now but I'll check back later.
Robert SaylorSenior DeveloperAuthor Commented:
Hi Dave,

I made a new site to test. Let me know what you think. I am leading toward a Microsoft bug in IE.

1. visit http://www.viewmyplans.com

2. click on the login button

3. username: expertexchange

4. password: password

5. Click on the link "The password is password"

6. Type in the password "password" then enter in a fake email and click continue

With IE 11 using medium privacy in the cookies/sessions the session inside the iframe is not created and the program takes you back to the password prompt. If you change the privacy in sessions/cookies to low it works.

If you visit http://expertexchange.vmpclient.net and click on the link the session is created under medium privacy. It appears to only be through the iframe we have the issue.

I am looking for confirmation this is an IE bug. This works in firefox, chrome and safarie with no issues. It also works fine with Windows 10 Edge browser.
Dave BaldwinFixer of ProblemsCommented:
You appear to be correct.  I was hoping to use ieHTTPHeaders to verify that the session id was being set in the cookie but it won't work in IE11.
Robert SaylorSenior DeveloperAuthor Commented:
The big question is this a known bug or should I submit a bug to IE?
Dave BaldwinFixer of ProblemsCommented:
I don't know whether it is known or not.  I installed Fiddler2 on that computer.  The entire problem is getting http://expertexchange.vmpclient.net/ to accept the cookie in the first place.  Once it is accepted, it returns it reliably with every request whether it is in the iframe or not.
Robert SaylorSenior DeveloperAuthor Commented:
Dave,

I put this at the top of the index.php inside the iframe and it worked.

header('P3P:CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"');

I am going to re-compile the file with source guardian.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Robert SaylorSenior DeveloperAuthor Commented:
Dave,

It appears to be the fix. Can you try on your end with medium privacy?

Source: http://adamyoung.net/IE-Blocking-iFrame-Cookies
Dave BaldwinFixer of ProblemsCommented:
I agree.  It worked the first time without a loop around to the password page again.

I'll remember this.  I have never used an iframe but this is good to know.  I've seen things about having a Privacy Policy before but never used that either.
Robert SaylorSenior DeveloperAuthor Commented:
Thanks Dave,

Well, for those searching for this at least it's documented here now.
Robert SaylorSenior DeveloperAuthor Commented:
Thanks guys for helping work through this. Ray and Dave you always answer my questions and for that thank you!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.