Internet Explorer Clears PHP Session Cookies
I set a session cookie in a PHP script accessed via an iframe in a Google Site as a gadget. The PHP script did a check on the user and if ok, set the session cookie so that they could access secure information on another system on the same domain as the first PHP script. Once the cookie was set, I used a redirect to let the user access the secure information...
<?php
if ($user == 'ok')
{
session_start();
$_SESSION['allowed'] = 1;
header("Location: securepage.php");
}
?>
This worked fine in Firefox and Chrome but not in Internet Explorer 7. Having debugged the code, I realised that the $_SESSION['allowed'] = 1 was not making it to the secure information PHP script. Internet Explorer was deleting or not receiving the PHP SESSION information.
This appears to be a security measure in Internet Explorer 6, 7 and potentially 8. In any case, the fix is to do the following on the first PHP script where you start the session.
<?php
if ($user == 'ok')
{
session_start();
header('P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"');
$_SESSION['allowed'] = 1;
header("Location: securepage.php");
}
?>
This extra P3P header tells Internet Explorer to accept the cookies from the first PHP script as it links or redirects to the securepage.php. I am not sure why IE would interpret doing this as a security threat but it could be to do with doing a header("Location... from within an iframe. Security level in Internet Explorer was set to medium-high.
