I have a facebook application which runs within the facebook frame. Everything works fine. I’m using Facebook C# SDK to authenticate the user. Then I store several information, e.g. users name and his facebook id, in session variables. Everything works fine but I betatester complained that he is not able to use the application. Checking his settings shows that he uses IE 9. That should not be the problem, just a side note: All others use Firefox and Chrome…. However, taking a closer look shows that his session cookies are lost! I could store them and immediately retrieve them, but if I want to access them in another part 2 seconds later they are gone. I’ve tried with my own IE 9 and it’s the same result: Session Cookies are lost. Firefox, Chrome and Opera work fine. So what’s the difference with IE? I have another app where each user has to authenticate with Facebook but there the app does not run within the facebook frame but in a seperate window, and there everything is working fine…
I found several different places with several small parts of explanations, e.g. Images without URL, and several solutions, e.g. add my site to the trusted sites in each IE, and after some articles I found the reason: The Platform for Privacy Preferences (P3P) Project.
Wikipedia says: “The Platform for Privacy Preferences Project, or P3P, is a protocol allowing websites to declare their intended use of information they collect about browsing users. Designed to give users more control of their personal information when browsing, P3P was developed by the World Wide Web Consortium (W3C) and officially recommended on April 16, 2002.” So why does this disturb IE9 and not Firefox? And only within the facebook frame and not as standalone?
- Block third-party cookies that save information that can be used to contact you without your explicit consent
W3C defines P3P standards. As I’m probably not the first one searching for it I hoped to find a simple editor which creates such files for me and I’m done. Unfortunately it’s a bit more complicated There are some online services offering to create P3P files but before spending money I tried to find some free services. Surprisingly there are not too many, most websites recommend ‘P3P Policy Editor’ from IBMs Alphaworks. It could be downloaded from IBMs Download page.
If you are using it for the first time it might be confusing (at least for me) so I’m happy to find section ‘An example’ on Content With Style. This helped me to create the necessary files. When you are done, save your files in all available options:
- ‘Save Policy as’… policy.xml
- ‘Save HTML as’ … privacy.html
- ‘Save Compact policy as’…. compact.txt
Changes on IIS Configuration
Now go to your servers IIS and change the HTTP Response Header for your site. Add a new element called ‘p3p’ and copy the text from compact.txt as value:
Also create a new directory ‘w3c’ in your root directory. Before uploading the other files, a change has to be made to p3p.xml (example file below) according to this answer on ExpertsExchange: Policy-Ref has to be updated.
When this is done, upload p3p.xml, privacy.xml and privacy.html to w3c-directory in your root. Use the P3P Validator from W3C to check whether all settings are correct. If not, take care about the advices from W3C and update your links or else.
<META xmlns="http://www.w3.org/2002/01/P3Pv1"> <POLICY-REFERENCES> <POLICY-REF about="https://[your domain here].com/w3c/policy.xml#PrivacyPolicy"> <INCLUDE>/*</INCLUDE> <COOKIE-INCLUDE/> </POLICY-REF> </POLICY-REFERENCES> </META>
Other Helpful Resources
- Brillant explanation on Stack Overflow.
- EricLaw’s IEInternals: Understanding Cookie Controls
- MSDN: How to Deploy P3P Privacy Policies on Your Web Site