How to Implement P3P HTTP Headers for cross-site cookies

Why I need to make sure to implement P3P if using iframes or using cross-site cookies?
The point is that if your application is inside iframe with parent belongs to another domain – cookies will not work for some very common configurations, for example IE 6/7 with privacy set to medium. If cookies don’t work – session won’t work. Therefore session turns out useless for your application under Internet Explorer. checck “Privacy in IE 6” for more details.

This is relevant when domain that hosts iframe is different from parent domain. Because of the fact that this is not a very common scenario, only a few familiar with the solution. It’s quite easy, we need to implement P3P header to tell the browser that cookies for your application inside iframe are OK for user privacy.
If you’re using PHP, just simple define a header like this:

<?php
header('P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"')
?>

While in ASP.NET, it’s working like this (Frankly I know nothing about asp.net, just show you the solution) :

protected void Application_BeginRequest(Object sender, EventArgs e)
{
// Example from www.admon.org
HttpContext.Current.Response.AddHeader("p3p", "CP="CAO PSA OUR"");
}

Here is a testing example written in Chinese, you can check it with Google Translate.


You can also create this header in your web server by some tricks like this:
For Lighttpd, using the following derectives in lighttpd.conf :

server.modules    = ("mod_setenv")
setenv.add-response-header = ( "P3P" => "CP='CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR'")

For Apache web server, the following directives will be OK:

<VirtualHost>
Header set P3P 'CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"'
</VirtualHost>



For more details about HTTP/1.1 P3P headers, Please check this link at w3.org

Share Button

5 thoughts on “How to Implement P3P HTTP Headers for cross-site cookies

  1. Hey, I just started reading this blog – thanks for writing. Just wanted to let you know that it’s not displaying correctly on the BlackBerry Browser (I have a Tour). Either way, I’m now on your RSS feed on my laptop, so thanks again!

  2. Hi I tried your PHP code but it hasn’t worked. I have a app that pulls in php pages from another IP via IFRAMEs and cookies are being blocked. I tried your code before I start the session but it hasn’t made a difference. Also, the apache code made my service not restart.

    Cheers,

    Billy

  3. In my PHP code i’m using:
    header(‘P3P: CP=”CAO PSA OUR”‘);

    I have a page that,in a IFRAME, pulls a PHP page from another domain.

    Sincerely

  4. Hi,

    it took a long time before i realized that cross-site session cookies in an iframe have been my problem!

    Thanks a lot for your header. I implemented it in all php scripts that were affected and it worked fine and immediately for all those IE users… HAPPY!!!!

Leave a comment

Your email address will not be published. Required fields are marked *