We have a website (www.example.com) that sends users to a number of third-party pages to check the payment details that we make in the iframe. Initially, the local page from www.example.com is loaded into the iframe, and the user is redirected to a third-party URL. After the user completes the steps of the third party, they are redirected back to the page of our site (www.example.com) within the iframe.
This works in all browsers we tested except IE 11, where our cookies look lost. We checked this in both Windows 7 and 8.1, both on the desktop and in the Metro mode, and the problem is in all versions.
When a user browses our site, we set a session cookie that correctly goes to the first page, which is initially loaded in the iframe. However, if the user has viewed some third-party pages in this iframe, the session cookie is not sent with the following request.
If we set the privacy setting of IE 11 to the minimum value, this problem will disappear and everything will work as expected.
All of the potential solutions that I have come to refer to the P3P headers. We have the correct and correct P3P header and XML policy file, and this problem only occurs in IE 11.
Update: We have several other cookies set using JS. All are saved as expected. The difference lies in the expiration date (1 year for JS cookies, 1 month for session cookies), domain (explicitly “example.com” for JS cookies, empty for session cookies) and whether they are “HTTP only” ( false for JS cookie, true for session cookie).
I tried to set all of these parameters to match the JS cookies for the session cookie, but that didn't matter.
Update 2:. After more testing, I was unable to create a test case that recreates this problem. Any additional cookies that I try to check with the live code also seem to be broken, even if they are set with exactly the same code as the JS cookies that work. Briefly; I have not yet found cookie templates that work and those that don't.
It is interesting to note that cookies are not deleted, they simply are not sent to the final request. If another page is loaded, cookies magically reappear and are sent; which makes me think this is an iframe and P3P related error.
Update 3 (day 3): IE 11 cookie processing continues to confuse me. The further I travel into the maze of Microsoft, the more I lost myself among my shifting walls. And there are ghosts here. Fragments of half-damned security policies that have been woven into some kind of ethereal being that tracks and taunts every step. At first I was frozen, scared, stunned in a subtle form, rushing straight out of sight, but with every minute I get more comfort from a simple knowledge of its proximity. Could this be the beast I sent here to meet? How could I kill my only companion at such times?