Cookie not being sent in iframe in IE9

First of all, I've did some research before posting this question, so I know about the P3P Policy and the MSDN article about it. From what I understand, this policy mostly (if not only) applies to IE6. My specific problem is with IE9. Furthermore the first thing I did was set up a policy (and it works, as it shows a summary in IE's privacy report).

My test case is as follows: I have a page that contains an iframe. The iframe document sets a session cookie (the complete HTTP header: Set-Cookie:sid=2b5540e0e4f27075ca4709851700137d; expires=Tue, 28-Jun-2011 07:27:41 GMT; path=/), for the current domain, on the root path, that expires in a week. No problems there, this has been running in production (standalone, not in an iframe) for some time now.

The problem is this: the iframe document has some javascript that does some HTTP requests first (done by jQuery), then redirects the user (by changing the document.location property). The requests do send the cookies, but the redirect doesn't.

I've captured the network events in IE, and the only difference between the two type of requests that I can find, is the initiator: XHR is done by a JS Library, the other by click. However I really doubt that a click would not send the cookie.

I want to know why my cookies are not sent, the Google Analytics cookies are sent, so it should be possible.

UPDATE: It's definitely a privacy zone issue: when lowering the privacy bar setting in IE to all, it works. Every other setting fails.

I've created an exact test bed: This is the actual iframe that's being use开发者_StackOverflowd. To test it, you have to fill in a Dutch postalcode (sorry ;)), the placeholder being used is fine: 1234 AB and 1. After submitting you get a modal, when it's done you should be redirected to a result page. In IE, the redirect shows exactly the same page that you started with (because of not setting the cookie).

Have you tried adding the the P3P header? It is not as difficult as that article says.

For example in PHP just add this header in the top of the php file:

<?php
    header('p3p: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"');
?>

This exact problem but in a diferent context worked here: Facebook app works on all browsers but not IE8

If anyone is trying to solve this for a .NET Application

Add a P3P header as Carlos mentioned

HttpContext.Response.AddHeader("p3p", "CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"");

Edit: Even better, if you want to put this in Controller, simply add the following attribute

public class IEP3PHeaderAttribute : FilterAttribute, IResultFilter
{
    public void OnResultExecuting(ResultExecutingContext filterContext)
    {
        // check if the user is using a IE based browser, add a p3p header if true and hasn't already been added
        if (HttpContext.Current.Request.Browser.Browser.ToUpper().Contains("IE"))
        {
            if (System.Web.HttpContext.Current.Response.Headers["p3p"] == null)
            {
                HttpContext.Current.Response.AddHeader("p3p", "CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"");    
            }
        }
    }

    public void OnResultExecuted(ResultExecutedContext filterContext)
    {
    }
}

and then in your controller, e.g. HomeController

[IEP3PHeader]
public class HomeController
{
   public ActionResult DoSomething() {};
   public ActionResult DoSomethingElse() {};
} 

Is this about the sequence in which the cookies are generated - i.e. does the GA cookie exist before the iframe is loaded, but the session cookie set when it's loaded?

Where's the code?

by changing the document.location property

Are you assigning a value directly to the location object, or are you using location.replace() or location.href=...?

Is this a correct reproduction of your test bed? http://www.coderun.com/ide/?w=EyTizeGw9kKgHjwNp3xiPw

I'm getting cookies back in IE9, what am I missing?