ILearnable .Net

May 12, 2009

Setting a cookie from within iframe on different site

Filed under: Uncategorized — andreakn @ 11:14

The site I’m working on is accessed through partners’ sites through iframes. ie: users log in to the partner, the partner opens an iframe to our site, (with encrypted url params (shared timestamp) ) letting us know who the user is, and in effect logging the user into our site. We could have used cookieless sessions to store the users info (you end up with a kind of GUID in the urls) but that would not be very safe, any haXor between the user and our web servers could read the request url, containing the sessionId and spoof the user, even if we are running under https. And as we are handling monetary transactions, safety is kind of important.

This means we need to fall back to using a cookie based session management, where the sessionId will be safely encrypted inside the https request. For most browsers saving cookies emitted by a site within an iframe is no big deal. but Internet Explorer (!) is a bit more picky. If the iframe is directed at a different site (which it is in our case) then cookies are ignored by default. There are two ways around this:

  • Get all your users to set their privacy settings in IE to their lowest setting. (obviously not a viable solution)
  • Use the P3P protocol to inform IE that you’re not a criminal.

the p3p protocol is thoroughly documented here and boils down to the following:

<META xmlns="http://www.w3.org/2002/01/P3Pv1">
<POLICY-REFERENCES>
 <POLICY-REF about="/w3c/mysite.p3p#mysite">
 <INCLUDE>/*</INCLUDE>
 <COOKIE-INCLUDE/>
 </POLICY-REF>

</POLICY-REFERENCES>
</META>

if you need different policies for different parts of your site you specify paths with the include element

  • Add a .p3p file on the location specified (with relative url) in the p3p.xml (this file can be generated by the p3peditor) ( when using the p3peditor you can check to see if the policy you are defining will be accepted by IE on the default trust level (medium), check the “HTML Policy” tab.  => “Policy Evaluation”
  • make sure IIS outputs the .p3p file (you might have to setup mime-type) (through management console in IIS5/IIS6 or config file in IIS7):

<system.webServer>
 <staticContent>
 <mimeMap fileExtension=".p3p" mimeType="text/xml" />
 </staticContent>
</system.webServer>

  • add a response header containing a compact version of your policy (replace the *REPLACE_ME* in the example below with your policy settings. The compact form can be generated using the p3peditor.(through management console in IIS5/IIS6 or config file in IIS7):
<system.webServer>
<httpProtocol>
 <customHeaders>
 <add name="P3P" value="policyref=&quot;/w3c/p3p.xml&quot;, CP=&quot;*REPLACE_ME*&quot;" />
 </customHeaders>
 </httpProtocol>
</system.webServer>

That should do the trick.

The free p3peditor isn’t exactly the most intuitive piece of software in the world, so there is an alternative that’ll set you back about $39. Supposedly, it’s easier to use.

Advertisements

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: