Solve the Problem of session failure when IFRAME references the cross-Origin Site Page

Problem scenario:
In a page of an application (group portal), use IFRAME to embed a page of another application (Group Real-Time Supervision System. when the domain of the two applications is different, the session fails on the embedded page. (The session is implemented based on cookies, so cookies are not allowed on the reference page ).

Problem Analysis:
IE6/IE7 From the security perspective, the supported p3p (Platform for privacy preferences Project (p3p) Specification) Protocols prevent third parties from having no privacy security claims by default, firefox does not currently support the p3p security feature, and Firefox does not.

Solution:
1. Modify client settings
Enable the client to accept cookies from any website (in the Privacy page of the IE option, add Site B to a trusted site)
Or set both domain names to trusted sites.

2. Application domain Modification
Simple Solution: two applications use the same domain

Complex Solution: You can use setdomain to force changes to the page loaded by IFRAME.

3. p3p
First, output the Host Header declaration of p3p In the content to be embedded (the site to which IFRAME points). The steps are as follows:
> Open IIS manager inetmgr
> Select the embedded IFRAME source site or directory, and right-click to open the attribute box.
> Switch to the HTTP Header
> Add
> Custom HTTP header: p3p
> Custom HTTP header value: Cp = "Cao PSA our"
> Closes the attribute box and takes effect immediately.

Type 2: add a statement in the embedded page page_onload: Response. addheader ("p3p", "cp = CaO PSA our ");

------------------ Gorgeous split line ----------------------------

IFRAME cross-origin session loss in IE

During development, we often use frame to work, and sometimes to integrate with other websites and apply it to multiple domains, IFRAME cannot save sessions, you can find many related articles on the Internet, if the website can adopt WEB settings. configuration in config: mode = "StateServer"
Stateconnectionstring = "TCPIP = 127.0.0.1: 42424"
Sqlconnectionstring = "Data Source = 127.0.0.1; trusted_connection = yes"
Cookieless = "false"
Timeout = "40"
/>
Change cookieless = "false" to "true", but there is also a small problem, that is, if the page uses the Javascript window. location. if href = ''is used for redirection, the system will regard this as another new request and generate a new sessionid, resulting in the same loss of the original session. Therefore, the system still uses response for redirection. redirect () is better

In addition to the ifrmae session loss problem, frameset also has the same problem. The problem of frameset is more uncertain. Sometimes it will be lost and sometimes it will not be lost, which is a headache, I found a method on the Internet and added a statement to page_onload:
Response. addheader ("p3p", "cp = CaO PSA our ");
The session loss problem in frameset solves the problem. As for the specific reasons, there is no time to understand it.

The simplest way is to set it in IIS.

Solution

Response. addheader ("p3p", "cp = CaO PSA our ").

But do we need to add this to every page?

Not Required

If you have the right to configure the IIS server

Open IIS

Management tool --> select a website --> properties --> HTTP header, add an HTTP Header
Enter the header name: p3p
Input header content: Cp = CaO PSA our

If you do not have permission to configure the IIS server, but you are using Asp.net

You can use httpmodual to implement the logo required for inserting all or some page headers.

A directory on this site is implemented in this way.

2. Use p3p header to solve IFRAME cross-origin access cookie

Source: http://blog.csdn.net/wonder4/archive/2008/02/27/2125804.aspx

Currently, when integrating several applications, I encountered the problem that IFRAME could not obtain the cookie (Session). After Google, I finally solved the problem. Now I want to record it.
This is my requirement.
One application was developed using. net. It mainly controls user logon and user access permissions, and is deployed in the Shanghai data center. Call application a now.
Another application is developed in Java, mainly for specific business operations. Deployed in the Beijing data center. Here is application B.
Because there is already an application for user management and permissions, the B application developed by Java has no function for developing user permissions and wants to directly use the. NET a program.

The user access process is as follows:
1. log on to a first. A sets its own cookie and has a link to B's application in the menu of.
2. When a user clicks the link to B's application, a automatically adds the user's token to the link and passes it to B's system.
3. after system B receives the request, it sets the user's token information to the cookie of its own system (system B has a form post operation. If there is no cookie, session, therefore, each request, whether get or post, must explicitly carry the user's token information. The system has a large amount of changes, and the verification method for changing permissions will also be relatively large in the future .)
4. in system B, no tokens are provided for each operation. Therefore, the cookie is used to obtain the token information, and an HTTP request is sent to system, allow System A to verify whether the user has access permissions.
5. If system A's interface returns an accessible status report, system B continues to execute the report. If system a instructs that there is no access permission, system B prompts a controlled access warning message.

All development is complete. When the integration goes online, I find that this process cannot be implemented, and I have to think about it for a long time and I don't know what's going on. Google has spent a long time, it turns out that IE is a zombie, and IE does not allow cross-origin access to cookies (as if Firefox is okay, ie has switched to the W3C p3p protocol since 6.0). Let's look at my application, for the cookie set in step 2, ie drops the cookie blocked of application B for all access requests of application B after Step 3 (because the user's access is initiated from application, from application a's access to application B's stuff, cross-origin access is considered as a security issue by IE ).... (There is a red-eye button in the IE status bar. Click it to see which cookies have been dropped by blocked)

It's easy to understand the cause, and Google knows that you can use the p3p header to solve the problem!
The following is one of the solutions of Java, which is also my solution, but the method is not very good:
Add a p3p header to the response.
Response (). addheader ("p3p", "cp = \" idc dsp cor Cura ADMA our ind PHY onl com sta \"");

CP = "xxx xxxx" has specific meanings:
CP is the meaning of Compact into ies,
In addition, the header value can also be policyref = "http: // myhost/p3p/policyreferences. xml", which is to specify a policy file.

For details, see here.

The following is the specific range and meaning of the value of the extracted compact policies.
Compact policies
Compact policies ies are essentially summaries of p3p limits ies. They can be used by user agents to quickly get approximate information about p3p limit ies, therefore improving performance.

For an in-depth explanation of compact protocols ies, we refer to the p3p1.0 [4] specification. Here, we limit to stating the Syntax:

Compact-policy-field = 'cp = "'compact-policy '"'

Compact-policy = compact-token * ("" Compact-token)

Compact-Token = compact-access |

Compact-disputes |

Compact-remedies |

Compact-non-identifiable |

Compact-purpose |

Compact-recipient |

Compact-retention |

Compact-categories |

Compact-test compact-access = "noi" | "all" | "Cao" | "IDC" | "Oti" | "Non"

Compact-disputes = "DSP"

Compact-remedies = "Cor" | "mon" | "law"

Compact-non-identifiable = "NID"

Compact-purpose = "cur" | "ADM" [creq] | "Dev" [creq] | "Tai" [creq] |

"PSA" [creq] | "PSD" [creq] | "IVA" [creq] | "IVD" [creq] |

"Con" [creq] | "his" [creq] | "tel" [creq] | "OTP" [creq]

Creq = "A" | "I" | "O"

Compact-recipient = "our" | "Del" [creq] | "Sam" [creq] | "unr" [creq] |

"Pub" [creq] | "OTR" [creq]

Compact-retention = "nor" | "STP" | "Leg" | "bus" | "IND"

Compact-Category = "phy" | "onl" | "uni" | "pur" | "fin" | "com" |

"Nav" | "int" | "dem" | "CNT" | "sta" | "pol" |

"Hea" | "pre" | "Loc" | "Gov" | "OTC"

Compact-test = "TST"

This article from the csdn blog, reproduced please indicate the source: http://blog.csdn.net/wonder4/archive/2008/02/27/2125804.aspx

"TST" also has a p3p verification tool: http://www.w3.org/p3p/validator.html, which can verify the p3p0000.pdf set by the verification tool. There is also a good blog written by a foreigner. You can also refer to it. Http://www.sitepoint.com/article/p3p-cookies-ie6/2
Certificate ------------------------------------------------------------------------------------------------------------------------------------------------------
Use p3p to optimize privacy Parameters
Time: 19:25:05 Source: Author:
Occasionally, when you see p3p In the Yahoo header, you can check it online and store it here.
<? PHP
Print_r (get_headers ());
?>
The result is as follows:
Array
(
[0] => HTTP/1.1 301 moved permanently
[1] => date: Mon, 17 Sep 2007 05:33:26 GMT
[2] => location: http://cn.yahoo.com/
[3] => connection: Close
[4] => Content-Type: text/html
[5] => HTTP/1.1 200 OK
[6] => date: Mon, 17 Sep 2007 05:33:26 GMT
[7] => p3p: policyref = "http://p3p.yahoo.com/w3c/p3p.xml“, CP =" Cao DSP cor Cu
R Adm Dev Tai psa psd ivai ivdi coni TELO otpi our deli Sami otri unri pubi ind
Phy onl uni pur fin com nav int dem cnt sta Pol hea pre Gov"
[8] => connection: Close
[9] => Content-Type: text/html
)

Reprinted below

Author: Builder. com
Monday, May 20 2002 AM

Platform for privacy preferences (p3p) is an XML standard that describes privacy and/or user information policies for websites. After p3p is used, the website owner can describe the information collected by the website and its usage. If p3p is not implemented, some users have to set their security options to a lower level when submitting forms or browsing websites using cookies. By using p3p, you can establish an agent to represent users in network activities. This article provides a basic overview of p3p.

The five objectives of p3p announced by W3C are as follows:
The standard outline for collecting website data, that is, the so-called p3p base data schema
Usage, recipient, data category, and other standard sets related to privacy exposure
XML format for expressing Privacy Policies
How to associate privacy policies with webpages, websites, and cookies
Transmission of p3p policies over HTTP

--------------------------------------------------------------------------------

P3p implementation
The p3p function consists of one or more policy files, policy reference files, and the source server's HTTP header. Policy files should be stored in the W3C directory of the Web server (/W3C ).

You may wish to plan and evaluate your website's existing privacy policies. If you do not have such a plan or strategy, you should make a plan before you implement p3p. For privacy policy examples, see Sun website. Now let's take a look at the basic steps to implement p3p.

1. Create a policy file (policy. p3p)
First, you must create a policy file. The XML policy file accurately describes the content and usage of the information. Remember, p3p adopts the "only recognized is permitted" defense mechanism, which means that only the data described in this policy file needs to be collected. The p3p specification does not indicate how the data and its processing process are not included. In this way, the policy file will contain a lot of information. Fortunately, the IBM p3p Policy Editor can help you create such files.

The policy file contains at least the statement about the website. The content of this statement is the data collected and how to use them. Listing a is an example of implementing your own policy.

The collected data follows the data structure specified in the p3p base data schema. If multiple declarations are implemented, the purpose and data list of each declaration are different (maybe a website needs to adopt different declarations for cookies, registration, and shopping ). The IBM p3p Policy Editor does not contain any special data fields that are not collected. However, according to the W3C proposal, we recommend that you include the special data collected by the website (for example: "User Home Address "). In addition, it is best to include the Save zone statement in the file. The save zone is a part of the information on the website that is irrelevant to the specific user.

2. Create a policy reference file (policy. XML)
After writing the policy file, you must create the policy reference file. Different website directories adopt different privacy policies. However, most websites generally apply a single policy across the entire website. Creating a policy reference file is the easiest step in this process, but you must ensure that the URL and Policy Name (# generalpolicy) of the p3p policy file are correct. The elements contained in the file are only the paths to the applicable directories of the policy. The policy reference example in listing B contains all the paths in the root directory.

3. Configure the server
In fact, to actually use p3p, you must first configure your server to pass an HTTP header pointing to the policy reference file. System Configurations vary depending on the types of servers available for sale. If you do not have the permission to access the server, you may have to use the <link> tag or write the corresponding code.

In the following example, p3p is the name of the HTTP header. All content after the colon is the header value. It is divided into two parts: the URL referenced by the Policy and the Compact policy ).
P3p: policyref = "http://www.mysite.com/w3c/p3p.xml” CP =" all DSP cor NID cur our ind pur"

CP is a list of three-character codes (relevant information has been described on the W3C website ). In the preceding example, the website occasionally collects data about the purchased items (purchasing) or current activities (current) for our. Data with doubts (disputes) and non-identifiable can be used as Cookie storage (NID ). Because our website stores customer numbers as cookies, the NID should be deleted from the list.

CP should match the complete policy. Therefore, if you use NID in CP, you should include the <nonident/> tag in your policy file. In order to match these settings, the verification tool described in the next section checks the above Code. If there is any difference, the Internet Explorer 6.0 browser will also check the policy file and make the policy file invalid.

If the Shared Server or web server you are using is difficult to configure the HTTP header, you may wish to add it to your HTML or Java code. I added the following code to my JSP file:

Response. setheader ("p3p", "policyref = \" http://www.mysite.com/w3c/p3p.xml?" CP = \ "all DSP cor cur our ind pur \"");

If your site is HTML-based, you can also use the <link> tag:
<LINK rel = "p3pv1" href = "/W3C/p3p. xml"> </link>

Check and Test
The IBM p3p editor can check the implementation of your p3p file and the entire privacy system. Fortunately, W3C has released an inspection tool on the Internet. Enter the URL of your homepage to see how the checking tool works. It indicates the syntax or configuration error in your p3p implementation. In addition, you can select View> Privacy Report from the menu of IE 6.0 to list all sites, select your website, and click the summary button to view your privacy report.

Summary
Finally, both the policy reference file (p3p. XML) and policy file (policy. p3p) are created. The policy. p3p file is a complete policy. It is referenced by p3p. XML (or policy. XML). This can be realized by viewing the HTTP header. W3C strongly recommends that you store these files in A/W3C Directory on the Web server. If everyone is using the same directory, the user agent can find these files even if the HTTP header is not received.