Session variables are lost if you use FRAMESET in Internet Explorer 6
This article was previously published under Q323752 On This PageSYMPTOMS If you implement a FRAMESET whose FRAMEs point to other Web
sites on the networks of your partners or inside your network, but you use
different top-level domain names, you may notice in Internet Explorer 6 that
any cookies you try to set in those FRAMEs appear to be lost. This is most
frequently experienced as a loss of session state in an Active Server Pages
(ASP) or ASP.NET Web application. You try to access a variable in the Session object that you expect to exist, and a blank string is returned
instead. You also see this problem in a FRAMEs context if your Web pages alternate between the use of Domain Name System (DNS) names and the use of Internet Protocol (IP) addresses. CAUSE Internet Explorer 6 introduced support for the Platform
for Privacy Preferences (P3P) Project. The P3P standard notes that if a
FRAMESET or a parent window references another site inside a FRAME or inside a
child window, the child site is considered third party content. Internet
Explorer, which uses the default privacy setting of Medium, silently rejects cookies sent from third party sites.
RESOLUTION You can add a P3P compact policy header to your child
content, and you can declare that no malicious actions are performed with the
data of the user. If Internet Explorer detects a satisfactory policy, then
Internet Explorer permits the cookie to be set. Visit the following MSDN Web site for a complete list of satisfactory and unsatisfactory policy codes: Privacy in Internet Explorer 6 http://msdn.microsoft.com/workshop/security/privacy/overview/privacyie6.asp (http://msdn.microsoft.com/workshop/security/privacy/overview/privacyie6.asp) A simple compact policy that fulfills this criteria follows: This code sample shows that your site provides you access to your own
contact information (CAO), that any analyzed data is only "pseudo-analyzed",
which means that the data is connected to your online persona and not to your
physical identity (PSA), and that your data is not supplied to any outside
agencies for those agencies to use (OUR).You can set this header if you use the Response.AddHeader method in an ASP page. In ASP.NET, you can use the Response.AppendHeader method. You can use the IIS Management Snap-In (inetmgr) to add to a static file. Follow these steps to add this header to a static file:
STATUSThis
behavior is by design. MORE INFORMATIONSteps to reproduce the behavior
REFERENCES
For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
283185 (http://support.microsoft.com/kb/283185/)
How to manage cookies in Internet Explorer 6
290333 (http://support.microsoft.com/kb/290333/) Description of Platform for Privacy Preferences (P3P) project
293222 (http://support.microsoft.com/kb/293222/) The default privacy settings for Internet Explorer 6
|