How to make use java session when client is opened in Internet Explorer in iframe?

Question

And when it is opened in Internet Explorer in iframe cookie JSESSIONID is never sent to server during any request. Thus server session is no used. I found article saying IE just blocks cookies for any page inside iframe. That is why JSESSIONID cookie is not sent to server. So how to make it possible to continue using java session in IE iframe?

I use jsf and get exception that View myview.xhtml could not be restored. javax.faces.application.ViewExpiredException.

Exactly on server side I could access

request.getCookies()

and saw there is no cookie with name JSESSIONID.

Therefore session is not assigned to request on server.

Also looking to development tools in IE on Network tab I see that really response has Set-Cookie JSESSIONID=... and later request does not have Cookie JSESSIONID=...

In first place, why frames? Why not just includes? It's coming from the same server, and thus not an external or non-HTML resource, right? — BalusC, Sep 23 '15 at 11:40

score 1 · Answer 1 · answered Sep 23 '15 at 20:51

1

As the article you pointed out is saying, you need to supply a compact privacy policy in your page so the cookies that are treated as 3rd party by IE will be acceptable.

With your web platform, which I believe is JSP, you can include this line:

response.addHeader("P3P","CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"")

answered Sep 23 '15 at 20:51

securecodeninja

2,497
3
16
22

really, it helps. Any text inside header value "CP=\"any text\"" is acceptable. I use it with jsf and after adding such header session cookie are sent from iframe in IE. – Oleksandr Tsurika Dec 01 '15 at 13:58

How to make use java session when client is opened in Internet Explorer in iframe?

1 Answers1