Session eset while browsing in an IFrame

[avdbrink]

I'm building an application wich should be used by other websites
inside an iFrame. My app stores some sessionvariables, but sometimes
in IE (6 and 7) IIS seems to restart the session on each pageload. It
does this when I post the page, or request the page, no matter what.
My sessionId is changing, wich prevents me from storing for example a
shoppingcart in the users session.

Weirdest thing is that it works fine in Firefox (never saw a problem),
but in IE it sometimes doesn't work and sometimes it does...

Server is Windows 2003 standard, using IIS
Clients are some different machines running Firefox, IE 6 and IE 7
Applications uses nothing more than ASP, VBScript.

Any ideas?

Thanx in advance!

Arno

 

[Bookham Measures]

I'm building an application wich should be used by other websites
inside an iFrame. My app stores some sessionvariables, but sometimes
in IE (6 and 7) IIS seems to restart the session on each pageload. It
does this when I post the page, or request the page, no matter what.
My sessionId is changing, wich prevents me from storing for example a
shoppingcart in the users session.

Weirdest thing is that it works fine in Firefox (never saw a problem),
but in IE it sometimes doesn't work and sometimes it does...

Server is Windows 2003 standard, using IIS
Clients are some different machines running Firefox, IE 6 and IE 7
Applications uses nothing more than ASP, VBScript.

Any ideas?

Thanx in advance!

Arno

IE will consider your ASP Session Cookies as "3rd Party" and based on
privacy settings will block them.

Say someone goes to two different websites, both of which host your IFrame
page. Well with a bit of tracking you could know that the person had
visited each website. This is a breach of the persons privacy. If they go
to website A and then B, it is none of your business, or at least thats what
M$ think. Consider the implications of advertising networks AdTech,
DoubleClick etc. They could know you search Amazon and eBay for a d*ldo so
would tailor ads on other sites for you accordingly.

 

[Anthony Jones]

I'm building an application wich should be used by other websites
inside an iFrame. My app stores some sessionvariables, but sometimes
in IE (6 and 7) IIS seems to restart the session on each pageload. It
does this when I post the page, or request the page, no matter what.
My sessionId is changing, wich prevents me from storing for example a
shoppingcart in the users session.

Weirdest thing is that it works fine in Firefox (never saw a problem),
but in IE it sometimes doesn't work and sometimes it does...

Server is Windows 2003 standard, using IIS
Clients are some different machines running Firefox, IE 6 and IE 7
Applications uses nothing more than ASP, VBScript.

Any ideas?

Most likely due to some clients having browser cookie handly policies set to
reject even session level cookies.

"sometimes" needs more definition. Do you mean sometimes a client that is
working normally fails? Or do you actually mean some clients just don't
work?

IIS 6? Is the application pool recycling? Anything odd in the event log?

 

[avdbrink]

Most likely due to some clients having browser cookie handly policies set to
reject even session level cookies.

"sometimes" needs more definition. Do you mean sometimes a client that is
working normally fails? Or do you actually mean some clients just don't
work?

IIS 6? Is the application pool recycling? Anything odd in the event log?

@Bookham
But my session runs inside 1 iFrame, and I do not need to know if the
user is visiting another site with the same iFrame included. I just
want to keep track of my own session, in the current iFrame. What's
the security risk in that case?

@Anthony:
"Sometimes" means that I can use the application normally from time to
time, but sometimes, on the same machine, using the same browser, on
the same internetconnection, the application stops to work correctly.
Yes, using IIS6, no application pool recycling an no odd events in the
log.
And again: FireFox works perfectly!

Any other thoughts would be appriciated.

Thanx

Arno

 

[avdbrink]

@Bookham
But my session runs inside 1 iFrame, and I do not need to know if the
user is visiting another site with the same iFrame included. I just
want to keep track of my own session, in the current iFrame. What's
the security risk in that case?

@Anthony:
"Sometimes" means that I can use the application normally from time to
time, but sometimes, on the same machine, using the same browser, on
the same internetconnection, the application stops to work correctly.
Yes, using IIS6, no application pool recycling an no odd events in the
log.
And again: FireFox works perfectly!

Any other thoughts would be appriciated.

Thanx

Arno- Tekst uit oorspronkelijk bericht niet weergeven -

- Tekst uit oorspronkelijk bericht weergeven -

Well, thanks for thinking along, but I just found the answer.

It's a IE problem started from IE 6 wich introduced Platform for
Privacy Preferences (P3P) Project. This makes my Iframe content "third
party content" and sets the privacy setting to Medium, silently
rejecting cookies sent from my site.

Adding a custom header to my app telling the brwoser that it's "good"
content solved the problem!

More info: http://support.microsoft.com/default.aspx?scid=kb;en-us;
323752

Thanks again!

Arno