Internet Explorer 7 says no to sessions and cookies
Posted by Fred Wu
People might think that IE6 is really slowing down the advancement of web design and development, which is true. What some people don’t realise is that IE7 is just about as evil as IE6, as web is evolving rapidly and making a new website is not difficult at all.
Today we have noticed a nasty bug that only happens in IE7. We built a website and it is being framesetted by other websites. In IE7, sessions and cookies do not work at all for this website (which has a different domain to the parent website).
After lots of research and debugging, we’ve finally identified this bug: IE7 incorrectly sets privacy settings for the website that is contained with a frameset and is not part of the main (parent) website. All sessions and cookies are therefore blocked.
Fortunately, there is a fix:
header('P3P: CP="ALL ADM DEV PSAi COM OUR OTRo STP IND ONL"');
The above line will ‘magically’ fix this IE7 bug.
I wish the IE family was bought out by other vendors, or alternatively, died peacefully.
On a side note, let’s wait and see what Google has to offer with Google Chrome.
Fred, sorry but, the session and the cookies works well in IE7. The fact is that it does not works with different domains (it works with subdomains) for logical securty reasons.
Well, making a website broken is not logical to me. Besides, I don’t see how IE would be any securer than Firefox, Safari and Opera, etc.
Thank you SO much for this fix. I’ve been tearing my hair out all day trying to sort out this issue. I built the site on my local machine, everything worked fine. It works on all the REAL browsers like ff, safari, opera and even google chrome. It also works on most versions of ie (confusingly it worked on some versions of ie 7 as well :S), but on my ie 7 and a few other copies, it stubbornly refused to work.
I wish I’d found this post earlier in the day. That one line of code was the solution to about 5 hours of struggling.
THANK YOU.
I admin a system where everyone logs in with just a username, no passwords. Then someone decided some reasonable security was in order, and we start requiring a password. So you call us angrily and say that breaking the program for you is not logical.
You can disregard security practices all you want, but don’t expect the world to accomodate you.
I highly regard security, as a matter of fact, from the very beginning of my programming career I have been obsessed with security. But that doesn’t mean one could go over the top and make security measures that have huge trade-offs.
Some of the security measures Microsoft has introduced are really laughable, just ask how many people turn off UAC as the first thing when they use Windows Vista. Similar securities measures have been in place on *nix (including OS X) systems for ages but apparently Microsoft decided to come over the top and make user experience far worse.
Two questions regarding your header…
1- How to have it in html ?
I’m thinking of something like:
2- In which file to have it ? In the file containing the frameset or in each included frame file ?
Thanks !
Stephane
Internet Explorer does not support my asp classic application but all other browsers do………
I am facing a problem in internet explorer with my asp classic application. i am working on asp application which is a kind of search engine returns results depending upon certain criteria. This application is working fine on all browsers except internet explorer. in IE after 2-3 results the sessions got mixed up or blank resulting in wrong result or error. there is no technical error as none of other browser shows such kind of problem. i need to delete the cookies in order to make it work well again on IE. Can any one help me in this issue.
Hi,
Unfortunately for me it’s not working :
A page of my website, called iframe.php uses frameset.
The first frame is just a small php file fixed on the top, in order to see the banner and some information from a sql database.
The 2nd is a whole website (commercial), and when i try to order something the caddie stay empty.
If i turn the security to lower (on ie), it works. It works fine too on FF and Chrome.
So, it’s really the same problem, but writting :
header(‘P3P: CP=”ALL ADM DEV PSAi COM OUR OTRo STP IND ONL”‘);
just before session_start(); is not workin at all …
I also use this (necessary for us :)
$CR_ini_set = ini_set ( “session.gc_maxlifetime” , “3600″ );
define(“_PATH_TMP”, “./../sessions”);
ini_set(‘session.save_path’, _PATH_TMP);
session_cache_expire (60);
header(‘P3P: CP=”ALL ADM DEV PSAi COM OUR OTRo STP IND ONL”‘);
session_start();
Any idea ?
Thanks for your answer,
Franck
In fact, where to put
header(‘P3P:CP=…
???
in the page declaring the frameset ? or in the first frame ?