tags:

views:

2115

answers:

3
+1  Q: 

Loses session state in iframe, but not in pop-up window

Hi all

We're developing a web shop, and process payments with a third party UI.

We have chosen to show the payment UI inside an iframe inside out check-out page, even though (we now realize), the payment solution provider recommend using a top-level window.

Now what happens is that in IE7/IE8, the payment UI loses session state on the first postback (inside the iframe), while in Firefox, it works just fine. We observe that the payment UI is developed using ASP.NET.

I was under the impression that as far as the server is concerned, there is no difference between being referenced from an iframe versus from a top-level window, but clearly there is.

Does anyone have a clue? What does an iframe do that could possibly make a difference to the payment server, causing it to lose session state?

Could it (it suddenly dawns on me) be differences in cookie handling? Stricter security perhaps?

+3  A: 

Probably caused by this:

Internet Explorer 6 introduced support for the Platform for Privacy Preferences (P3P) Project. The P3P standard notes that if a FRAMESET or a parent window references another site inside a FRAME or inside a child window, the child site is considered third party content. Internet Explorer, which uses the default privacy setting of Medium, silently rejects cookies sent from third party sites.

http://support.microsoft.com/kb/323752/en-us

I once heard someone say that an IFrame is actually a new instance of IE, but apparently it's a bit more complicated.

Gerrie Schenck  2009-04-17 09:37:37
Dang! That might just be it! Back to the drawing board..
Tor Haugen  2009-04-17 09:53:43
You can fix this by ensuring that both you and the payment provider have a P3P statement defined: this will allow IE to accept the third party cookies - had to do similar things when IE 6 came out for ads served in an IFrame from a remote ad server.
Zhaph - Ben Duguid  2009-04-17 10:54:58
Thanks, I'll check that out!
Tor Haugen  2009-04-20 09:31:52
A: 

Hi, so the structure of your code/site would be something like:

  1. Site A has Page 1 has an iframe which displays Site B
  2. the iframe updates and now displays Page 2 from Site A

and when you right-click on the contents of the iframe you can verify that the url is corresponding to Site A?

If you debug, does Page 2 fire off your breakpoints as expected?

Mr W  2009-04-17 09:39:16
No. Site A page 1 is displayed all the time. Inside Site A page 1 is an iframe which displays site B page 1. Site B page 1 posts back (inside the iframe) to Site B page 2. Now Site B page 2 has no session state.
Tor Haugen  2009-04-17 09:49:13
+1  A: 

You might find this article by Milan Negovan helpful to explain why framed pages get a separate Session ID. The article also talks about the P3P solution mentioned by Gerrie Schenck above.

Cerebrus  2009-04-17 09:49:14
+1 for the P3P references - very useful.
Zhaph - Ben Duguid  2009-04-17 10:58:46

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps