Announcement

Collapse
No announcement yet.

External Domain Redirection and IE 6 Cookie Problem

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • External Domain Redirection and IE 6 Cookie Problem

    (I am looking for a way to fix the following problem without doing the workarounds that I found below. It took me quite a while to write the following, so I hope to find someone that will be able to help me)

    --- DESCRIPTION OF PROBLEM ---

    If you use a Domain Redirector (ie: http://www.domain.com) that points to a Message Board (ie: http://www.togrc.com/forums/index.php), there is a problem for INTERNET EXPLORER 6 users to use cookies on the site.

    By default, IE 6 have a Default Privacy Security of "Medium". The following describes the setting :

    "The Medium privacy setting blocks third-party cookies that do not have a compact policy (a condensed computer-readable privacy statement) or third-party cookies that have a compact policy that specifies that personally identifiable information is used without your implicit consent. First-party cookies that have a compact policy that specifies that personally identifiable information is used without implicit consent are "downgraded" (deleted when you close Internet Explorer). First-party cookies
    that do not have a compact policy are "leashed" (restricted so that they can only be read in the first-party context). Cookies that had been stored on your computer before you installed Internet Explorer 6 are also leashed."

    The problem in this case is that the Domain Redirector is not sending the privacy statement of the site with the header. It means that IE 6 does *NOT* see any Privacy Statement for the Cookies.

    In order for IE 6 to see a privacy statement to know if it should ACCEPT or REFUSE the cookies, the privacy control must be send in the HEADER as a CONDENSED PRIVACY.

    Here is what a redirect domain sends (this is taken from an actual domain redirector to one of the message board) :

    Cache-Control: private
    Connection: close
    Date: Fri, 09 Aug 2002 15:01:44 GMT
    Server: Microsoft-IIS/5.0
    Content-Length: 562
    Content-Type: text/html
    Client-Date: Fri, 09 Aug 2002 15:01:44 GMT
    Client-Response-Num: 1

    Now, here is part of the Header that is send if you directly use the URL of the Message Board.

    The following is the header send from http://www.togrc.com/forums/ :

    Connection: close
    Date: Fri, 09 Aug 2002 15:06:59 GMT
    Server: Apache/1.3.26 (Unix) DAV/1.0.3 mod_throttle/3.1.2 mod_bwlimited/1.0
    PHP/4.2.2 mod_log_bytes/0.3 FrontPage/5.0.2.2510 mod_ssl/2.8.9
    OpenSSL/0.9.5a
    Content-Length: 27165
    Content-Type: text/html
    Client-Date: Fri, 09 Aug 2002 15:06:52 GMT
    Client-Response-Num: 1
    P3P: policyref="http://www.togrc.com/w3c/p3p.xml" CP="NON CURa ADMa TAIa OUR
    BUS IND UNI COM NAV"
    Set-Cookie: sessionhash=1e3026c99d02b47a81d36a6016c9995c; path=/
    Set-Cookie: bblastvisit_=1028905620; expires=Sat, 09-Aug-03 15:07:00 GMT;
    path=/
    X-Powered-By: PHP/4.2.2

    The important part for the cookies control is the P3P: line.

    For additional information about Internet Explorer 6 Privacy Features, go to:
    http://msdn.microsoft.com/library/en...acyfeature.asp

    --- CONSEQUENCES ---

    The MEDIUM security control says :

    - Persistant cookie with no compact policy:
    * First-party context: LEASH
    * Third-party context: DENY

    Let say you use the domain "www.abc.com", the First-Party Context would be cookies from the "abc.com" domain, and cookies from the TOGRC site (Message Board) would be "Third-Party Context".

    Based on the above table, all cookies from TOGRC would be DENIED.

    As you can imagine, the consequences of this are terrible. The "Login Information" and other important cookies can not be set on the remote computer, which means that the Message Board will NEVER see the user as logged nor they can be TRACKED at all.

    *** THIS IS ONLY HAPPENING ON INTERNET EXPLORER 6 USERS. ALL OTHER BROWSERS ARE NOT USING THE P3P STANDARD.

    --- WORKAROUNDS ---

    Method 1
    =======
    - Click on the "Privacy Report" on the Status Bar (or do "View" - "Privacy Report...").
    - Locate the "Blocked" cookie from an entry starting with http://www.togrc.com
    - Double-Click on the Entry
    - Click on "Always allow this site to use cookies."
    - Reload the page (you might have to close the browser window and reopen it)

    Method 2
    =======
    Instead of going through the Domain, use the direct link to the Message Board (http://www.togrc.com/forums/)

    Method 3 (vBulletin Only)
    =======
    vBulletin offer an option to not use cookies for site navigation. But, you will not be able to save your Username/Password between each session.

    To set vBulletin to not use cookies, do the following :
    - Click on "User CP"
    - Click on "Edit Options"
    - Change the option of "Browse board with cookies?" to "No"
widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...
X