How to retain session-state from iframe in a pop-up?

Question

I'm making a web application for a customer that has clients who want to put the login to the app inside of an iframe on their web sites. On a succesful login we want to open the app in a new pop-up window, but it seems that the logged in session is only retained inside of the iframe and not in the main window or in the pop-up. This is only a problem in IE, not in any other browser.

Is there a working way to implement this?

The flow is this:

1. User goes to client's website (www.url1.com)
2. User logs in to app, which is in an iframe (from www.url2.com)
3. App in iframe validates login
4. App in iframe uses window.open to open the app in a new, separate window

EDIT: Fiddler shows that what happens in the iframe is attached to one iexplore process and what happens in the main window is attached to another. This obviously is the problem, can it be worked around?

Answer 1

Try to use Fiddler to check if the cookies created by the login page (in the iframe) are sent to the newly opened popup. If not then it maybe a setting in the IE that prevents this from happening.

Edit: To see the cookies in Fiddler go to the Inspectors tab, then to Headers. At Request headers (up) you'll see the cookies sent from server to browser. At Response headers (down) you'll see the cookies sent from browser to the server (they should be sent back to browser for subsequent requests).

Answer 2

Setting cookies in an iframe which loads a page from another domain can cause some strange issues sometimes. And if the cookies don't work, chances are, your login won't work either. To get around it in a previous case, what I had to do is to add a custom http header in either IIS / Code which suddenly made things work.

Sample C# code:

protected void Application_BeginRequest(Object sender, EventArgs e)
{
    HttpContext.Current.Response.AddHeader("p3p", "CP=\"CAO PSA OUR\"");
}