Cookies are not set on IE11 windows 7 for an iframe app

Question

I'm working with an outlook web add-in and a Rails webapp. The web add-in is loaded as an iframe when it's enabled through Outlook on the Web. The page is a login page from our Rails app. Our Rails app has a standard Devise setup for the authentication process.

When the login page is loaded and we input the proper credentials and click on login, the cookies are lost throughout the process and we get redirected back to the login page again.

When we take a look at the Network tab in the develop console, we see that /users/sign_in is being requested and returns with the proper response headers and cookies to be set. Hitting /users/sign_in successfully would usually redirect the iframe to /dashboard/stats with all the proper sessions and cookies in the header. However, this isn't the case, and we see that the request headers for /dashboard/stats do not have the proper cookies/sessions, instead they're missing. As a result, in the Rails app, we see that there are no proper cookies/devise session and will send a 401 and redirect back to the login page /users/sign_in.

This issue only occurs for Internet Explorer 11 (Version: 11.0.9600.19230) on Windows 7.

I've tested this same thing with a later version of IE11 on Windows 10 and it works fine: all the cookies and session attributes are being set properly and we login successfully. I've also tested this on Chrome, Safari, and Firefox, and the same scenario passes. Unfortunately, we need to support this version of IE11 on Windows 7 (or the latest version).

I was wondering if anybody has ran into a similar issue and/or has any insights as to what might be the solution here for these missing cookies.

Answer 1

After digging through the forums, it seems that it's an issue related to the P3P header. Keep in mind that I've only found it to be an issue in the above IE11 version. The latest version I have (IE 11.316.17763.0) doesn't share the same issue.

Basically, in IE11, if the page inside the iframe doesn't have a P3P header, the browser will block the cookies. You can check if your page is blocked on IE11 by clicking on View > Webpage privacy report...

If the issue is present in your IE11 version, you'll see that your page is "Blocked" on the Cookies column.

The issue is solved by including the P3P header in your webapp's response headers. You can read more in this post.

If you are unsure of the value of the P3P header, I would suggest reading through this related post.

However, it seems that the P3P concept is outdated and has been suspended, and based on the first post above, you don't need to worry too much about the value of the header.

Lastly, I would recommend for people to scope the addition of the P3P header only if you detect that the request was sent from an IE11 browser. This is something that only IE seems to enforce: Other current modern browsers do not have this issue.