0

I've got the following:

User clicks on a link mydomain.com/redirect.php where gets a cookie (for mydomain.com) via setcookie function and then goes to another page (header('Location: ...');) - say lp.html

Then, on that page there is a script: gs('mydomain.com/getcookie.php', 'client=52', function() {}); and this function is as follows:

gs = function(path, args, fn) {
        var p = document.head || document.getElementsByTagName("head")[0]
        var s = document.createElement("script");
        p.appendChild(s);
        if (fn) {
            if (s.addEventListener) {
                s.addEventListener('load', fn, false);
            } else if (s.attachEvent) {
                s.attachEvent("onload", function() {
                    fn(window.event)
                });
            } else {
                s["onload"] = fn;
            }
            s.onreadystatechange = function() {
                fn()
            }
        }
        s.src = path + "?" + args;
}

The getcookie.php script gets a value from $_COOKIE (since it's on my domain) and returns a small js, like this: myParam = 'cookieValue'; for later use in js.

So, this works well... except Internet Explorer. It works there only if I manually allow it to accept all cookies.

answer: (thanks to duellsy)

adding 

header('P3P: CP="CAO PSA OUR"');
header('P3P: CP="HONK"');
k102
  • 7,861
  • 7
  • 49
  • 69

1 Answers1

1

IE has some cookie security things that can be hard to diagnose, try adding this to the top of your page

<?php header('P3P: CP="CAO PSA OUR"'); ?>

Look up Internet Explorer P3P, to find out more information on this

A good response on SO on 'what' this is: https://stackoverflow.com/a/5258105/1613391

Community
  • 1
  • 1
duellsy
  • 8,497
  • 2
  • 36
  • 60
  • 1
    can't hurt to put it on both, so both are aware of the policy, otherwise there may be a conflict and the cookie won't be able to be retrieved – duellsy Nov 20 '12 at 12:39
  • oh! great! this works if I add this header to `redirect.php` and to `getcookie.php` that's awesome! =) – k102 Nov 20 '12 at 12:44
  • 1
    Make sure that the policy you use actually reflects the use to which you will put the data. You don't want people to take legal action against you because you've been lying about what you are doing with their data. – Quentin Nov 20 '12 at 13:12
  • @Quentin, thanks for the notice, but I think there will be no problems, cause this is not user's data - this is my data used for tracking user actions on client's site – k102 Nov 20 '12 at 13:20
  • "What the user does" is "user data" – Quentin Nov 20 '12 at 13:21
  • But I do not store "What the user does" in the cookie. There's only a random id not connected to user at all. It's needed to check if this user came from `redirect.php` – k102 Nov 20 '12 at 13:24
  • Read what the policy rules mean. Make sure you conform to the ones you use. Don't assume that everything is fine just because you have no *personally* identifiable data in them. – Quentin Nov 20 '12 at 14:15
  • Added to @Quentin's note, here's where you can find out some more information on the policy, to ensure you know exactly what it covers http://stackoverflow.com/a/5258105/1613391 – duellsy Nov 20 '12 at 22:14