跨站点Session失效问题

如果在A网站引用B网站的页面，获得B网站的Session，但是从A站点跳转到B站点后，B站点的Session失效了！

无法获得原来的Session。

经过同事的努力查找，找到相应的解决办法，详细内容如下：

http://support.microsoft.com/kb/323752/ （机器翻译的，极烂！）

http://support.microsoft.com/kb/323752/en-us

Session variables are lost if you use FRAMESET in Internet Explorer 6

View products that this article applies to.

function loadTOCNode(){}

Article ID	:	323752
Last Review	:	April 21, 2006
Revision	:	3.0

This article was previously published under Q323752

var sectionFilter = "type != 'notice' && type != 'securedata' && type != 'querywords'"; var tocArrow = "/library/images/support/kbgraphics/public/en-us/downarrow.gif"; var depthLimit = 10; var depth3Limit = 10; var depth4Limit = 5; var depth5Limit = 3; var tocEntryMinimum = 1; <noscript></noscript>

SYMPTOMS

loadTOCNode(1, 'symptoms');

If you implement a FRAMESET whose FRAMEs point to other Web sites on the networks of your partners or inside your network, but you use different top-level domain names, you may notice in Internet Explorer 6 that any cookies you try to set in those FRAMEs appear to be lost. This is most frequently experienced as a loss of session state in an Active Server Pages (ASP) or ASP.NET Web application. You try to access a variable in the Session object that you expect to exist, and a blank string is returned instead.

You also see this problem in a FRAMEs context if your Web pages alternate between the use of Domain Name System (DNS) names and the use of Internet Protocol (IP) addresses.

CAUSE

loadTOCNode(1, 'cause');

Internet Explorer 6 introduced support for the Platform for Privacy Preferences (P3P) Project. The P3P standard notes that if a FRAMESET or a parent window references another site inside a FRAME or inside a child window, the child site is considered third party content. Internet Explorer, which uses the default privacy setting of Medium, silently rejects cookies sent from third party sites.

RESOLUTION

loadTOCNode(1, 'resolution');

You can add a P3P compact policy header to your child content, and you can declare that no malicious actions are performed with the data of the user. If Internet Explorer detects a satisfactory policy, then Internet Explorer permits the cookie to be set.

Visit the following MSDN Web site for a complete list of satisfactory and unsatisfactory policy codes:

Privacy in Internet Explorer 6
http://msdn.microsoft.com/workshop/security/privacy/overview/privacyie6.asp (http://msdn.microsoft.com/workshop/security/privacy/overview/privacyie6.asp)

A simple compact policy that fulfills this criteria follows:

P3P: CP="CAO PSA OUR"
				

This code sample shows that your site provides you access to your own contact information (CAO), that any analyzed data is only "pseudo-analyzed", which means that the data is connected to your online persona and not to your physical identity (PSA), and that your data is not supplied to any outside agencies for those agencies to use (OUR).

You can set this header if you use the Response.AddHeader method in an ASP page. In ASP.NET, you can use the Response.AppendHeader method. You can use the IIS Management Snap-In (inetmgr) to add to a static file.

Follow these steps to add this header to a static file:

1.	Click Start, click Run, and then type inetmgr.
2.	In the left navigation page, click the appropriate file or directory in your Web site to which you want to add the header, right-click the file, and then click Properties.
3.	Click the HTTP Headers tab.
4.	In the Custom HTTP Headers group box, click Add.
5.	Type P3P for the header name, and then for the compact policy string, type CP=..., where "..." is the appropriate code for your compact policy.

Alternatively, Internet Explorer users can modify their privacy settings so that they are prompted to accept third party content. The following steps show how to modify the privacy settings:

1.	Run Internet Explorer.
2.	Click Tools, and then click Internet Options.
3.	Click the Privacy tab, and then click Advanced.
4.	Click to select the Override automatic cookie handling check box.
5.	To allow ASP and ASP.NET session cookies to be set, click to select the Always allow session cookies check box.
6.	To receive a prompt for any type of third party cookie, click Prompt in the Third-party Cookies list.

STATUS

loadTOCNode(1, 'status');

This behavior is by design.

MORE INFORMATION

loadTOCNode(1, 'moreinformation');

Steps to reproduce the behavior

loadTOCNode(2, 'moreinformation');

1.	Create a file name TestFrameset.asp.
2.	Point one of the FRAMEs of the file to another computer on your network, by means of IP addresses: <HTML> <FRAMESET ROWS="100%,*"> <FRAME src="http://111.111.111.111/testFrame.asp"></FRAME> <FRAME src="about:blank"></FRAME> </FRAMESET> </HTML>
3.	On the remote computer, create TestFrame.asp like the following example: <HTML> <BODY> <% Response.write "Session var is " & Session("TestVar") Session("TestVar") = "Hello, world!" %> <BODY> <FORM METHOD="POST"> <INPUT type="submit" value="Print TestVar"> </FORM> </BODY> </HTML>
4.	Move to TestFrameset.asp, and then click Form Submission.

Notice after the submission that Session("TestVar") entry prints as empty, although it should contain "Hello, world!".

REFERENCES

loadTOCNode(1, 'references');

For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

283185 (http://support.microsoft.com/kb/283185/) How to manage cookies in Internet Explorer 6

290333 (http://support.microsoft.com/kb/290333/) Description of Platform for Privacy Preferences (P3P) project

293222 (http://support.microsoft.com/kb/293222/) The default privacy settings for Internet Explorer 6

具体解决办法为：

修改B站点的IIS设置，设置Header，添加“P3P: CP="CAO PSA OUR"”