Session Lost in iFrame (P3P Issue)

Problem: If you have iFrame or multiple frameset in your ASP.NET page, session is lost in the child frame.

Session ID: If you use Response.Write to show the Session.SessionID of your page, you'd notice that it's actually changing on every postback.

Cause: Due to the browser and Platform for Privacy Preferences (P3P) natures, the child frame will be considered as third party site if the top level domain is different between the parent and child frame. Therefore, default privacy settings of IE (medium) will be used and reject any cookies sent from the third party site (that is your child frame).

Solution: Apart from altering the settings in IE (which may not be possible due to client company security reason as in my case), the easiest solution is to add a header to the base page and acknowledge it can trusted to the parent site.

For example,

    public class BasePage : System.Web.UI.Page
    {
        public BasePage() {}

        protected override void OnInit(EventArgs e)
        {
            Response.AddHeader("p3p", "CP=\"IDC DSP COR ADM DEVi TATi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"");
        }
    }

References:

• http://msdn.microsoft.com/en-us/library/ms537343.aspx
• http://www.alphaworks.ibm.com/tech/p3peditor/
• http://kiranpatils.wordpress.com/2010/04/13/session-lost-in-iframe