Session Lost in iFrame (P3P Issue)

Problem: If you have iFrame or multiple frameset in your ASP.NET page, session is lost in the child frame.

Session ID: If you use Response.Write to show the Session.SessionID of your page, you'd notice that it's actually changing on every postback.

Cause: Due to the browser and Platform for Privacy Preferences (P3P) natures, the child frame will be considered as third party site if the top level domain is different between the parent and child frame. Therefore, default privacy settings of IE (medium) will be used and reject any cookies sent from the third party site (that is your child frame).

Solution: Apart from altering the settings in IE (which may not be possible due to client company security reason as in my case), the easiest solution is to add a header to the base page and acknowledge it can trusted to the parent site.

For example,

    public class BasePage : System.Web.UI.Page
        public BasePage() {}

        protected override void OnInit(EventArgs e)
            Response.AddHeader("p3p", "CP=\"IDC DSP COR ADM DEVi TATi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"");


Published Wednesday, October 13, 2010 1:15 PM by Colt
Filed under:


# re: Session Lost in iFrame (P3P Issue)

This is because by default session is cookie based. Cookie from iframe is regarded as third party cookie and not allowed.

1. Just add a header will solve your problem on certain browser, but not enough for other scenarios, eg. ie 8 on windows 7.

2. Implement P3P policy properly by having policly file will solve problem on most of browsers but not safari. Safari says P3P is out of date, so when they build the browser, they did not consider it.

3. We eventually have to go cookieless session, that works. Price to pay is sessionid showing in address, also, ajax call is affected, since even calling local web service, will have sessonid embedded.

Monday, October 25, 2010 8:29 AM by 刘壮

# re: Session Lost in iFrame (P3P Issue)

Wednesday, December 7, 2011 11:31 PM by vinodkotiya