A load-balanced web application I’ve been working on suffered a -quite annoying- problem of people being logged out within only minutes of inactivity. It was related to lost sessions. After some tests for common session time-out problems I discovered quite an interesting feature of Internet Explorer 6 (and higher) worth to be aware of.
We tested the application ourselves with the mentioned browsers and never had problems, but as various clients offered access to our application through a frame on their site we were confronted with an untested and problematic set-up in which IE6 (and higher) refuses cookies.
To sketch the situation; http://clientx.com/ contains a frame linking to http://oursite.com/app/clientx . Because the host name in the frame (oursite.com) is different from the toplevel host (clientx.com), Internet Explor the frame as 3rd party content. From IE6 and upwards, the default privacy settings lets the browser silently ignore cookies from 3rd party content. This is done by intent, see the Microsoft KB issue.
A simple solution is to add a P3P-response header defining a Compact Policy (which you may or may not respect), for example:
P3P: CP="CAO PSA OUR"
As a developer you’re not likely to run into the problem during development because you:
- use firefox
- have changed the default IE privacy settings to something more workable
- access the site directly instead of through a frame