2

So I am doing some fairly simple JSONP stuff using Jquery.

General structure

  • Site lives on domain A
  • Javascript lives on domain B
  • JSON services also live on domain B

The site calls a method which jsonp calls out to a json service (.net) , in .net i set the session and return.

This all works fine, except in IE it is not storing or passing the session id in subsequent requests.. So .net creates a new one every time.

If i go to the JSON url directly, ie happily stores it, and will use it on subsequent calls.

Firefox and chrome don't have any problem with this, but for some reason IE seems to be ignoring the session cookie through jquery, but the response works fine besides that.

womp
  • 115,835
  • 26
  • 236
  • 269
Monsters
  • 103
  • 1
  • 1
  • 7
  • As your site, js and service live on different domain, I'm suspecting IE is doing some XSS protection, that in this case is harming a harmless and intentional cross-domain call. If that is the case, it might be very hard to get this approach working on each user's computer - is it possible for you to choose a different approach, which does not need session cookies for this particular part of the service? – Tomas Aschan Apr 22 '09 at 22:09
  • Well, certainly i could put a session id of sorts into the json response, and just handle it manually, I'm surprised though, as it seems to be a straight forward 'set cookie' command : ASP.NET_SessionId=l3vw0a45xnvwzibeki4y0j55; path=/; HttpOnly – Monsters Apr 22 '09 at 22:12
  • Well, certainly i could put a session id of sorts into the json response, and just handle it manually, I'm surprised though, as it seems to be a straight forward 'set cookie' command :
    Set-Cookie: ASP.NET_SessionId=l3vw0a45xnvwzibeki4y0j55; path=/; HttpOnly     – Monsters Apr 22 '09 at 22:14
  • If I were you I'd look into details of the XSS protection in IIS and see if this is really the reason for your problems (it could just as well be your ajax request for json...) before I started moving to many things around. – Tomas Aschan Apr 22 '09 at 22:21
  • Hm, I dont' think it's iis, using fiddler I can clearly see the set-cookie header, and then IE just doesn't send it back. – Monsters Apr 22 '09 at 22:23
  • Ah, re-read. I'd be handling 'sessions' entirely manually if I had to abandon traditional session handling. In addition, further testing shows that IE wont accept any cookies this way. – Monsters Apr 22 '09 at 22:26

1 Answers1

0

A lot of browsers are more restrictive with their same origin policy than firefox. It is not an IE issue. The XHR / MSXML object is not accepting the cookie.

http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy

Chad Grant
  • 44,326
  • 9
  • 65
  • 80