I have two websites, let’s say they’re example.com and anotherexample.net.
On anotherexample.net/page.html, I have an IFRAME SRC="http://example.com/someform.asp". That IFRAME displays a form for the user to fill out and submit to http://example.com/process.asp. When I open the form (“someform.asp“) in its own browser window, all works well.
However, when I load someform.asp as an IFRAME in IE 6 or IE 7, the cookies for example.com are not saved. In Firefox this problem doesn’t appear.
For testing purposes, I’ve created a similar setup on http://newmoon.wz.cz/test/page.php .
example.com uses cookie-based sessions (and there’s nothing I can do about that), so without cookies, process.asp won’t execute. How do I force IE to save those cookies?
Results of sniffing the HTTP traffic: on GET /someform.asp response, there’s a valid per-session Set-Cookie header (e.g. Set-Cookie: ASPKSJIUIUGF=JKHJUHVGFYTTYFY), but on POST /process.asp request, there is no Cookie header at all.
Edit3: some AJAX+serverside scripting is apparently capable to sidestep the problem, but that looks very much like a bug, plus it opens a whole new set of security holes. I don’t want my applications to use a combination of bug+security hole just because it’s easy.
Edit: the P3P policy was the root cause, full explanation below.
