IE 11第一方会话Cookie在iframe中丢失 [英] IE 11 first-party session cookies being lost in iframe
问题描述
我们有一个网站(www.example.com),可将用户关闭到一系列第三方网页,以验证我们在iframe中执行的付款详情。最初,来自www.example.com的本地网页被加载到iframe中,用户被重定向到第三方网址。用户完成第三方步骤后,他们将被重定向回到iframe中我们网站(www.example.com)上的网页。
We have a site (www.example.com) which sends users off to a series of third party pages to verify payment details, which we do in an iframe. Initially, a local page from www.example.com is loaded in the iframe, and the user is redirected to the third party URL. Once the third party steps are completed by the user, they are 302 redirected back to a page on our site (www.example.com) within the iframe.
在我们测试的所有浏览器中,除了IE 11,我们的Cookie似乎丢失。我们已在Windows 7和8.1下,在桌面和地铁模式下检查过此问题,所有版本都有此问题。
This works in all browsers we've tested except IE 11, where our cookies appear to be lost. We have checked this under both Windows 7 and 8.1, in both desktop and "Metro" modes, and the problem is across all versions.
当用户浏览我们的网站时设置会话Cookie,并将其正确发送到最初加载到iframe中的第一方页面。但是,如果用户浏览了此iframe中的某些第三方网页,则会话Cookie不会与下一个请求一起发送。
When a user browses our site we set a session cookie, which is correctly sent to the first-party page that is initially loaded in the iframe. Once the user has gone through some third-party pages in this iframe however, the session cookie isn't sent with the next request.
如果我们设置了IE 11的隐私设置到最低值,这个问题消失,事情按预期工作。
If we set IE 11's privacy setting to the lowest value, this issue disappears and things work as expected.
到目前为止,我所有的潜在解决方案都与P3P标题有关。我们有一个有效和正确的P3P头和XML策略文件设置,这个问题只发生在IE 11。
All potential solutions I've turned up so far have related to P3P headers. We have a valid and correct P3P header and XML policy file set up, and this problem only occurs in IE 11.
更新:我们使用JS设置了一些其他Cookie。这些都是如预期的坚持。差异是到期日期(JS Cookie为1年,会话Cookie为1个月),域名(对于JS Cookie显式为example.com,对于会话Cookie为空)和是否为仅HTTP(对于JS为false cookies,true for session cookie)。
Update: We have a few other cookies set using JS. These are all persisting as expected. The differences are the expiry date (1 year for JS cookies, 1 month for session cookie), the domain (explicitly "example.com" for JS cookies, empty for session cookie) and whether they are "HTTP only" (false for JS cookies, true for session cookie).
我已经尝试根据会话cookie的JS cookie设置所有这些选项,但没有什么区别。
I have tried setting all of these options as per the JS cookies for the session cookie, but it made no difference.
更新2:更多测试后,我无法创建重现此问题的测试用例。任何额外的cookies,我尝试在实时代码测试,但是也看起来是破碎的,即使它们设置完全相同的代码,JS工作的cookie。简而言之;我还没有找到任何模式的cookies的工作和那些不工作。
Update 2: After more testing I have been unable to create a test case that recreates this problem. Any additional cookies I try testing with in the live code however also appear to be broken, even if they are set with exactly the same code as the JS cookies which work. In short; I've not yet found any pattern to the cookies which work and those which don't.
一个有趣的事情要注意的是,这些cookie没有被删除,它们只是没有发送到最终请求。如果加载了另一个页面,Cookie会奇迹般地重新出现并发送;这导致我相信这是一个围绕iframe和P3P的错误。
One potentially interesting thing to note is that the cookies aren't being deleted, they're just not being sent to the final request. If another page is loaded, the cookies magically reappear and are sent; which leads me to believe this is a bug surrounding iframes and P3P.
更新3 IE 11处理Cookie继续困扰我。我进入微软的迷宫越是失去,我成为其变幻的墙壁。这里有鬼。半梦想的安全政策的碎片,已经编织成一些飘渺的生物,跟踪和嘲弄我的一举一动。起初,我被冻死了,害怕,吓唬在几乎不可思议的形式飞镖只是看不见,但随着每一个过去的小时,我从更多的安慰从它的邻近的知识。这是我被送到这里来面对的野兽吗?
Update 3 (day 3): IE 11's handling of cookies continues to confound me. The further I travel into Microsoft's labyrinth the more lost I become amongst its shifting walls. And there are ghosts in here. Fragments of half-dreamt security policies that have woven themselves into some ethereal creature, which tracks and taunts me at every move. At first I was frozen, terrified, aghast at the barely fathomable form darting just out of sight, but with every passing hour I gather more comfort from the mere knowledge of its proximity. Could this be the very beast I have been sent here to confront? How could I slay my only companion in such times?
推荐答案
我们遇到了一个类似的问题,Internet Explorer 11的会话cookie去了
We encountered a similar problem with Internet Explorer 11 where the session cookie went missing after a redirect over https.
请求链看起来像这样:
重定向到外部网址 > 重定向
initial request to / -> session cookie set -> redirect to an external URL -> redirect back (session cookie lost)
我们的问题是由于 RFC952 ,我们在测试服务器网址中有下划线。看来,如果URL不符合RFC952,Internet Explorer会通过https重定向删除会话cookie。
Our problem was due to an invalid host name according to RFC952, we had underscores in our test server URL. It seems that Internet Explorer silently drops the session cookie on redirect over https if the URL does not conform to RFC952. When using dashes instead of underscores, everything worked as expected.
原始解决方案位于的更新2 http://weblogs.asp.net/bleroy/Don_2700_t-redirect-after-setting-a-Session-variable-_2800_or-do-it-right_2900_ =nofollow> asp.net blogpost from 2004。 a>相关微软错误提醒这里。
The original solution was found in the Update 2 section of this asp.net blogpost from 2004. Related microsoft bug ticket here.
希望这将有助于某人。
这篇关于IE 11第一方会话Cookie在iframe中丢失的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
