Losing asp.net session in popup. Only in IE and on

2019-08-16 19:24发布

问题:

I have an asp.net web page with an integrated iframe. From within this iframe i call window.open to open a popup window. The popup url is absolute but within the same domain.

For approximately 1% of users using Internet Explorer (multiple versions) the asp.net session object is lost (null) in the popup window.

I have tried gathering setup information to identify a pattern from a group of users but with no result. A theory was that they were all Citrix clients but that was not the case.

Has anybody experienced something similar and solved it?

回答1:

I'm guessing that your site does not have a valid P3P header defining how you track users, so IE wont forward [session] cookies with the http requests.

You can verify this by adding an example P3P-header in web.config. You will need to learn what the different tokens mean, and if this example header matches your use-case or if you need to create your own.

<system.webServer>
  <httpProtocol>
    <customHeaders>
      <add name="P3P" value="CP=&quot;NON COR CUR OUR BUS NAV&quot;" />
    </customHeaders>
  </httpProtocol>
</system.webServer>


回答2:

For us, ASP.NET: Popup browser windows and session cookies had the relevant answer. In our case, a Jetty webserver is used, so be careful what you filter.

Starting the browser from a "regular" shortcut on the desktop referring to the website. With IE8. (I didn't find my MSDN reference, but I think it's Windows XP only.) Note: Citrix users often are forced to use the links on the desktop. So this might resolve the Citrix part of the issues.

There are more very similar questions on here. Have you checked out all the posts here on stackoverflow including:

  1. IE8 losing session cookies in popup windows (which was also suggested as an answer to a similar issue regarding IE7: ASP.NET 2.0 Session variables lost in pop up window in IE 7 when deployed on server )
  2. IE8 loses cookies when opening a new window after a redirect (also referred to in the first question) is an issue with a popup being opened from a modal popup or somesuch. IE 8 beta release, so probably irrelevant.
  3. IE8 losing session details (bug in a java library, so probably also not relevant)

If I had to sum up:

  1. There are a lot of issues which appear to have asp.net in common. Try looking through them.
  2. You say no specific Internet Explorer versions appear affected. That means you might be looking at different issues for different versions of IE.
  3. a) I think stackoverflow should have most answers.


回答3:

Follow the guidelines here: http://www.w3.org/P3P/details.html

You should construct your own P3P policy.

As an example, if you add this to your Global.asax, it works in IE8:

protected void Application_BeginRequest(object sender, EventArgs e)
{
     HttpContext.Current.Response.AddHeader("p3p", "CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"");
}

BUT!!! don't just copy the above sample as the policy has to reflect your actual privacypolicy on your website. Otherwise this might have implications later when browsers validate your content/behaviour compared to what you have stated.

No one would like to get blacklisted from certain browser vendors, right?