Session Cookies lost in Internet Explorer IE9 ..

or: How to create P3P (privacy policy) Files for IIS.

I have a facebook application which runs within the facebook frame. Everything works fine. I’m using Facebook C# SDK to authenticate the user. Then I store several information, e.g. users name and his facebook id, in session variables. Everything works fine but I betatester complained that he is not able to use the application. Checking his settings shows that he uses IE 9. That should not be the problem, just a side note: All others use Firefox and Chrome…. However, taking a closer look shows that his session cookies are lost! I could store them and immediately retrieve them, but if I want to access them in another part 2 seconds later they are gone. I’ve tried with my own IE 9 and it’s the same result: Session Cookies are lost. Firefox, Chrome and Opera work fine. So what’s the difference with IE? I have another app where each user has to authenticate with Facebook but there the app does not run within the facebook frame but in a seperate window, and there everything is working fine…

I found several different places with several small parts of explanations, e.g. Images without URL, and several solutions, e.g. add my site to the trusted sites in each IE, and after some articles I found the reason: The Platform for Privacy Preferences (P3P) Project.

Wikipedia says: “The Platform for Privacy Preferences Project, or P3P, is a protocol allowing websites to declare their intended use of information they collect about browsing users. Designed to give users more control of their personal information when browsing, P3P was developed by the World Wide Web Consortium (W3C) and officially recommended on April 16, 2002.” So why does this disturb IE9 and not Firefox? And only within the facebook frame and not as standalone?

P3P should make the privacy policy of each domain readable for machines, especially browsers. My page did not have such, probably like most other home-made sites. Most browsers don’t bother about missing privacy policy, but IE does. But only from third party. It’s also written in the Privacy tab of Internet explorer. Default privacy setting is ‘Medium’ which means

  • Block third-party cookies that do not have a compact privacy policy
  • Block third-party cookies that save information that can be used to contact you without your explicit consent

So in my case my application is ‘”third-party” because it runs in the Facebook Frame at url . For you it’s easy to find out whether it’s the same case: In IE click ‘View’ –> ‘Webpage Privacy Policy’. If your domain is blocked than you probably need a privacy policy.

What is a privacy policy and how to get one?

W3C defines P3P standards. As I’m probably not the first one searching for it I hoped to find a simple editor which creates such files for me and I’m done. Unfortunately it’s a bit more complicated Trauriges Smiley There are some online services offering to create P3P files but before spending money I tried to find some free services. Surprisingly there are not too many, most websites recommend ‘P3P Policy Editor’ from IBMs Alphaworks. It could be downloaded from IBMs Download page.

If you are using it for the first time it might be confusing (at least for me) so I’m happy to find section ‘An example’ on Content With Style. This helped me to create the necessary files. When you are done, save your files in all available options:

  • ‘Save Policy as’… policy.xml
  • ‘Save HTML as’ … privacy.html
  • ‘Save Compact policy as’…. compact.txt

Changes on IIS Configuration

Now go to your servers IIS and change the HTTP Response Header for your site. Add a new element called ‘p3p’ and copy the text from compact.txt as value:

Also create a new directory ‘w3c’ in your root directory. Before uploading the other files, a change has to be made to p3p.xml (example file below) according to this answer on ExpertsExchange: Policy-Ref has to be updated.

When this is done, upload p3p.xml, privacy.xml and privacy.html to w3c-directory in your root. Use the P3P Validator from W3C to check whether all settings are correct. If not, take care about the advices from W3C and update your links or else.

Live Test

Now open your app again in IE. You should see that session cookies are now stored as expected. You could confirm this when you again check ‘View’ –> ‘Webpage Privacy Policy’: Your domain should not be blocked anymore!

Example P3P.XML

<META xmlns="">
    <POLICY-REF about="https://[your domain here].com/w3c/policy.xml#PrivacyPolicy">


Other Helpful Resources

Leave a Comment