Use the P3P specification to allow IE to accept third-party cookies across domains

Source: Internet
Author: User

Two days ago to help colleagues deal with a JS cross-domain problem, using JSONP cross-domain submission of user name password request, automatic login to the third-party website, SSO (single-sign-on) Single Sign-on, a login everywhere. There's no problem with Chrome, IE can't. Check HTTP several back and forth, found that the login request is successful, the problem is that the third party website returned by the cookie (session ID) IE is not accepted, the next time the request was sent without a cookie, stating that the previous Set-cookie instruction did not effect, So I can not log in. Checked, someone using the iframe embedded in the form of Web pages, also encountered in IE can not set a cookie situation.

If you set the privacy level to low in Internet options, or if you include a third-party domain name as a trusted site, you're fine. But isn't it possible for every user to change IE settings? This is a very common scenario, there must be other solutions.


Browser third-party cookie restrictions

The so-called third-party cookie is that you visit page A, but you receive the cookie setting instruction of domain B. This may be due to Web page a requesting or linking to page B, such as the IFrame mentioned above and Jsonp.

I found out. Each browser for cross-domain processing rules, you can see third-party cookies, IE in the default settings are limited.

Third-party cookie rules for different browsers
IE FireFox Chrome Safari Opera
Restricting third-party Coookie Is Whether Whether Is Whether

To solve this problem, there are 2 ways, one is mentioned above to adjust the IE settings, the third party domain name added to the list of trusted websites; Another way is to P3P.

P3P?

P3P full name Platform for Privacy Preferences, privacy setting platform specification. The specification is extremely complex, and to be clear, the sky is half black. In short, it is the website that declares its privacy policy to the browser, such as whether the website collects the visitor's personal information, sets the purpose of the cookie, and so on. Depending on the settings, the browser determines whether the cookie of the website is accepted under the conditions of a third party request.

The full deployment of P3P includes the creation of a Privacy policy document (policy.html), a principle document (Policy.xml), a reference document (P3p.xml), and an interest in learning more about deploying P3P in MSDN.

This is too complicated, I just want to do in the company's internal management system of single sign-on. Fortunately, there is a relatively simple way to send P3P-related HTTP headers.

asp:

HttpContext. Current . Response. AddHeader("cp=\" IDC DSP COR ADM DEVi taii PSA PSD Ivai ivdi CONi His we IND cnt\"");  

Php:

Header(' p3p:cp= ' IDC DSP COR ADM DEVi taii PSA PSD Ivai ivdi CONi His we IND CNT "');   

Jsp:

Response.setheader ("P3P", "cp= ' IDC DSP COR ADM DEVi taii PSA PSD Ivai ivdi CONi His our IND CNT '");

Well, what do these IDC DSPs mean?

These tags are stipulated by P3P, for example, NOI that do not collect identifiable user information, ADM said that information collection will be used for website management ... See the full list, Chinese summary list.

The browser will decide whether or not to accept cookies based on these tags, and with the test results, plus NOI The easiest, one is enough. However, the site is generally difficult to do NOI, unless forever anonymous, "login" function may violate the NOI. Theoretically, the label should reflect the site's information collection behavior, if the stated privacy policy is inconsistent with the actual behavior, it will have to bear legal responsibility. StackOverflow a discussion on legal issues, can be consulted.

In addition to transmitting the P3P HTTP header, you can also declare P3P through the HTML meta tag, or by setting up an IIS server.

Reference Link: http://blog.darkthread.net/post-2011-10-27-p3p-header-and-iframe-session.aspx

Http://www.lovelucy.info/ie-accept-third-party-cookie.html

Use the P3P specification to allow IE to accept third-party cookies across domains

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.