Internet Explorer 7 says no to sessions and cookies
Posted by Fred Wu
People might think that IE6 is really slowing down the advancement of web design and development, which is true. What some people don’t realise is that IE7 is just about as evil as IE6.
Today we have noticed a nasty bug that only happens in IE7. We built a website and it is being framesetted by other websites. In IE7, sessions and cookies do not work at all for this website (which has a different domain to the parent website).
After lots of research and debugging, we’ve finally identified this bug: IE7 incorrectly sets privacy settings for the website that is contained with a frameset and is not part of the main (parent) website. All sessions and cookies are therefore blocked.
Fortunately, there is a fix:
header('P3P: CP="ALL ADM DEV PSAi COM OUR OTRo STP IND ONL"');
The above line will ‘magically’ fix this IE7 bug.
I wish the IE family was bought out by other vendors, or alternatively, died peacefully.
On a side note, let’s wait and see what Google has to offer with Google Chrome.
Fred, sorry but, the session and the cookies works well in IE7. The fact is that it does not works with different domains (it works with subdomains) for logical securty reasons.
Well, making a website broken is not logical to me. Besides, I don’t see how IE would be any securer than Firefox, Safari and Opera, etc.
Thank you SO much for this fix. I’ve been tearing my hair out all day trying to sort out this issue. I built the site on my local machine, everything worked fine. It works on all the REAL browsers like ff, safari, opera and even google chrome. It also works on most versions of ie (confusingly it worked on some versions of ie 7 as well :S), but on my ie 7 and a few other copies, it stubbornly refused to work.
I wish I’d found this post earlier in the day. That one line of code was the solution to about 5 hours of struggling.
THANK YOU.
I admin a system where everyone logs in with just a username, no passwords. Then someone decided some reasonable security was in order, and we start requiring a password. So you call us angrily and say that breaking the program for you is not logical.
You can disregard security practices all you want, but don’t expect the world to accomodate you.
I highly regard security, as a matter of fact, from the very beginning of my programming career I have been obsessed with security. But that doesn’t mean one could go over the top and make security measures that have huge trade-offs.
Some of the security measures Microsoft has introduced are really laughable, just ask how many people turn off UAC as the first thing when they use Windows Vista. Similar securities measures have been in place on *nix (including OS X) systems for ages but apparently Microsoft decided to come over the top and make user experience far worse.
Two questions regarding your header…
1- How to have it in html ?
I’m thinking of something like:
2- In which file to have it ? In the file containing the frameset or in each included frame file ?
Thanks !
Stephane