Cookie Based (forms) Authentication Not Working in IE Iframe

Recently spent some time troubleshooting a 3rd party vendor being integrated into our site via an IFrame. Not really a great idea in the first place, with overflow:hidden and what have you – but the real issue came around their authentication process.
We were sending through an encrypted identifier on the iframe src querystring, which they succesfully matched to approved users on their system, however, after authenticating, the subsequent redirect would show that the user was no long logged in… so what was going on?
Turned out, after a lot of calls and testing, that this was the issue:
Good old IE – never fails to provide useful features.

So essentially IE has a setting (thas is on, even on medium-low security) which says cookies served from a different domain than the current (in our case from within an iframe) are blocked, unless the remote server at that domain provides a “privacy policy”.

In some way this is a sensible enough approach – but unfortunately the solutions is (despite all the waffling about lawsuits in the StackOverflow post) as simple as adding this header to every response sent from the server:


So if you’re a reputable company, you’re likely to be in compliance with that anyway, if you’re not – then you probably haven’t got your full postal address on whois anyway… so one questions the value added from this IE safety net.
But it’s there, and it created some work hours for us.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: