iframe中session失效问题,rails应用与iis的解决方案

在iframe 嵌入跨域网站时，session丢失问题其根源也是由于iframe跨站点cookie被阻导致session失效。如果两个站点都是相同的父域名就没有这个问题。

 

问题原因：

 

IE6/IE7支持的P3P(Platform for Privacy Preferences Project (P3P) specification)协议默认阻止第三方无隐私安全声明的cookie，Firefox目前还不支持P3P安全特性，firefox中自然也不存在此问题了。Mircosoft对此的具体描述可以参见 Privacy in Internet Explorer 6

 

解决方法:

 

A、Rails

 

 

before_filter :send_header
def send_header
  response.headers['P3P'] = 'CP="CAO PSA OUR"'
end

 

B、IIS

 

 

 

1.打开IIS管理器 inetmgr
2.选择被嵌入iframe源站点或者目录，右键点击打开属性框
3.切换到HTTP头
4.添加
5.自定义HTTP头名: P3P
6.自定义HTTP头值: CP=”CAO PSA OUR”
7.关闭属性框退出，即刻生效

 

 

至于上面CAO PSA OUR的具体意思，请参考文章:Privacy in Internet Explorer 6

 

Rails and IFrames - Issues with Internet Explorer sessions
While using our new Share-It iframe for a project we came across a strange session issue with internet explorer that was tough to track down a solution to.  

Basically we were loading an iframe with some parameters that were saved in a session, this worked fine on all browsers except for internet explorer.  

Every request had a new session id, so the issue had to be with the cookies.  As it turns out using an iframe from a different domain name is considered "third-party" and IE blocks the cookies unless....

You set this ( P3P compact policy ) response header.

P3P: CP="CAO PSA OUR"more details about the header and what it means can be found here.

you can easily do this in a controller using this call in a before filter with this line:

response.headers['P3P'] = 'CP="CAO PSA OUR"

Since the issue was harder to find a solution to than it should have been we decided it would make a good first development post from the Sympact team. Expect More...