IE 11 第一方会话 cookie 在 iframe 中丢失 [英] IE 11 first-party session cookies being lost in iframe

问题描述

我们有一个网站 (www.example.com)，可将用户引导至一系列第三方页面以验证付款详细信息，我们在 iframe 中执行此操作.最初，来自 www.example.com 的本地页面被加载到 iframe 中，并且用户被重定向到第三方 URL.用户完成第三方步骤后，他们将 302 重定向回 iframe 中我们网站 (www.example.com) 上的页面.

We have a site (www.example.com) which sends users off to a series of third party pages to verify payment details, which we do in an iframe. Initially, a local page from www.example.com is loaded in the iframe, and the user is redirected to the third party URL. Once the third party steps are completed by the user, they are 302 redirected back to a page on our site (www.example.com) within the iframe.

这适用于我们测试过的所有浏览器，除了 IE 11，我们的 cookie 似乎丢失了.我们已经在 Windows 7 和 8.1 桌面和Metro"模式下检查了这一点，问题出现在所有版本中.

This works in all browsers we've tested except IE 11, where our cookies appear to be lost. We have checked this under both Windows 7 and 8.1, in both desktop and "Metro" modes, and the problem is across all versions.

当用户浏览我们的网站时，我们会设置一个会话 cookie，该 cookie 会正确发送到最初加载到 iframe 中的第一方页面.但是，一旦用户浏览了此 iframe 中的某些第三方页面，会话 cookie 就不会与下一个请求一起发送.

When a user browses our site we set a session cookie, which is correctly sent to the first-party page that is initially loaded in the iframe. Once the user has gone through some third-party pages in this iframe however, the session cookie isn't sent with the next request.

如果我们将 IE 11 的隐私设置设置为最低值，这个问题就会消失，一切都会按预期进行.

If we set IE 11's privacy setting to the lowest value, this issue disappears and things work as expected.

到目前为止，我发现的所有潜在解决方案都与 P3P 标头有关.我们设置了有效且正确的 P3P 标头和 XML 策略文件，此问题仅在 IE 11 中出现.

All potential solutions I've turned up so far have related to P3P headers. We have a valid and correct P3P header and XML policy file set up, and this problem only occurs in IE 11.

更新:我们还有其他一些使用 JS 设置的 cookie.这些都按预期持续存在.不同之处在于到期日期(JS cookie 为 1 年，会话 cookie 为 1 个月)、域(JS cookie 明确为example.com"，会话 cookie 为空)以及它们是否为仅 HTTP"(JS 为 false)cookie，会话 cookie 为真).

Update: We have a few other cookies set using JS. These are all persisting as expected. The differences are the expiry date (1 year for JS cookies, 1 month for session cookie), the domain (explicitly "example.com" for JS cookies, empty for session cookie) and whether they are "HTTP only" (false for JS cookies, true for session cookie).

我已经尝试根据会话 cookie 的 JS cookie 设置所有这些选项，但没有任何区别.

I have tried setting all of these options as per the JS cookies for the session cookie, but it made no difference.

更新 2: 经过更多测试后，我无法创建重现此问题的测试用例.我尝试在实时代码中测试的任何其他 cookie 似乎也已损坏，即使它们设置为与有效的 JS cookie 完全相同的代码.简而言之;我还没有发现任何模式的 cookie 有效和无效.

Update 2: After more testing I have been unable to create a test case that recreates this problem. Any additional cookies I try testing with in the live code however also appear to be broken, even if they are set with exactly the same code as the JS cookies which work. In short; I've not yet found any pattern to the cookies which work and those which don't.

需要注意的一个潜在有趣的事情是 cookie 没有被删除，它们只是没有被发送到最终请求.如果加载了另一个页面，cookie 会神奇地重新出现并发送；这让我相信这是一个围绕 iframe 和 P3P 的错误.

One potentially interesting thing to note is that the cookies aren't being deleted, they're just not being sent to the final request. If another page is loaded, the cookies magically reappear and are sent; which leads me to believe this is a bug surrounding iframes and P3P.

更新 3(第 3 天):IE 11 对 cookie 的处理继续让我感到困惑.我越深入微软的迷宫，我就越迷失在它不断变化的墙壁中.而且这里有鬼.半梦半醒的安全政策的碎片已经编织成某种空灵的生物，它在我的一举一动中跟踪和嘲弄我.起初，我被这个几乎无法理解的身影吓得冻僵了，吓坏了，惊呆了，但随着时间的流逝，我从仅仅知道它的接近度中获得了更多的安慰.难道这就是我被派来对付的野兽吗?在这种时候，我怎么可能杀死我唯一的同伴?

Update 3 (day 3): IE 11's handling of cookies continues to confound me. The further I travel into Microsoft's labyrinth the more lost I become amongst its shifting walls. And there are ghosts in here. Fragments of half-dreamt security policies that have woven themselves into some ethereal creature, which tracks and taunts me at every move. At first I was frozen, terrified, aghast at the barely fathomable form darting just out of sight, but with every passing hour I gather more comfort from the mere knowledge of its proximity. Could this be the very beast I have been sent here to confront? How could I slay my only companion in such times?

推荐答案

我们在 Internet Explorer 11 中遇到了类似的问题，即通过 https 重定向后会话 cookie 丢失.

We encountered a similar problem with Internet Explorer 11 where the session cookie went missing after a redirect over https.

请求链如下所示:

初始请求/ -> 会话 cookie 集 -> 重定向到外部 URL -> 重定向回(会话 cookie 丢失)

initial request to / -> session cookie set -> redirect to an external URL -> redirect back (session cookie lost)

我们的问题是由于根据 RFC952 的主机名无效，我们有我们的测试服务器 URL 中的下划线.如果 URL 不符合 RFC952，Internet Explorer 似乎会在通过 https 重定向时以静默方式丢弃会话 cookie.使用破折号代替下划线时，一切都按预期工作.

Our problem was due to an invalid host name according to RFC952, we had underscores in our test server URL. It seems that Internet Explorer silently drops the session cookie on redirect over https if the URL does not conform to RFC952. When using dashes instead of underscores, everything worked as expected.

原始解决方案在此 2004 年的 asp.net 博文. 相关微软错误票 此处.

The original solution was found in the Update 2 section of this asp.net blogpost from 2004. Related microsoft bug ticket here.

希望这会对某人有所帮助.

Hopefully this will help someone.

这篇关于IE 11 第一方会话 cookie 在 iframe 中丢失的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！