IFRAME cross-origin session loss

The project encountered a very difficult problem. Embed another Web application in an application using IFRAME, but the value is clearly put in the session, but it cannot be obtained. After several twists and turns, the emperor finally found the key lifeline.

 

Recently, a system (a) needs to integrate the functions of the existing system (B) IN SYSTEM (.
Of course, system (B) features impose logon restrictions during access. (All in general: After logging on to the system, put the userid into the session, and add the userid judgment in the session on the specific function page,
If the userid in the session does not exist, go to the logon page. Otherwise, the session will continue to be loaded and display properly .)
In system (a), the function of accessing System (B) is nothing more than bypassing System (B) login. (The general practice is to first jump to a page in system (B), on which the userid is inserted into the session,
Then automatically jump to the function page to be accessed)
The above practices are feasible when the framework structure is not used, but rather simple.
However, if system (a) uses the framework structure, that is, the function page in system (B) needs to be embedded in the framework of system (a), unexpected problems may occur,
Specifically, system (B) jumps to the login page and the session is lost.
Why?
Because the application needs to access different domains under different frames on a page, the session is lost.
Root cause:
The p3p (Platform for privacy preferences Project (p3p) Specification) protocols supported by IE6 and IE7 prevent third parties from using cookies without privacy security claims by default. Firefox does not currently support p3p security features, this problem does not occur in Firefox. For more information about Mircosoft, see privacy in Internet Explorer 6.

The solution is to output the Host Header declaration of p3p In the content to be embedded (the site to which IFRAME points:
PHP:
Header ('p3p: Cp = "idc dsp cor ADM Devi taII psa psd ivai ivdi coni his our ind CNT "');

Asp.net:
Httpcontext. Current. response. addheader ("p3p", "cp = \" "idc dsp cor ADM Devi taII psa psd ivai ivdi coni his our ind CNT \""")

JSP:
Response. setheader ("p3p", "cp = 'idc DSP cor ADM Devi taII psa psd ivai ivdi coni his our ind CNT '")

ColdFusion: