Facebook iframe not working in IE; session/login issue?
I have an issue with my Facebook canvas iframe application.
I'm using sessions to build a simple questionnaire-style application. There's a question on each page, when the form is submitted the answer is stored in a session array, and the page number is incremented by one, which then displays the next question. Simple stuff.
This app, however; works in every browser except Internet Explorer.
In Internet Explorer, on page change it appears to go through another page change which invalidates the session, and starts all over again. I've searched and searched, but can't seem to find the cause of this behaviour.
You might be experiencing a 3rd party cookie issue. If you are caught in a redirect loop this is probably the case.
Solution in php, add this:
header('P3P:CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"');
This cleared it right up for me. I was having a nasty redirect issue.
This allows cross domain cookies to work for the page, as the cookie is being set for Facebook by your iFrame IE has to be told it's ok.
Quoting from http://adamyoung.net/IE-Blocking-iFrame-Cookies
"The problem lies with a W3C standard called Platform for Privacy Preferences or P3P for short. You can read all about the boring stuff via the link or else just install the P3P Compact Policy header below. This will allow Internet Explorer to accept your third-party cookie. You will need to send the header on every page that sets a cookie."
I suggest a different approach to this problem, without using P3P headers or other odd stuff. The problems arises because the two applications are hosted on different domains. In particular, when your application needs to start session or to save a cookie on the client, any cookies or sessions you set will be considered ’3rd-party’. The only way you can successfully set sessions or cookies is if your users have visited your domain previously.
So my solution is:
- the hosting application instead of showing the page with the iframe, it previously calls your application with a particular URL (ex: www.yourappsite.com/customer=9rUwkNmawUELbB2).
- your application checks the token and verifies if it is valid (this step only if you need to discriminate among different customers)
- if ok, sets a cookie on the client (you can do that because your app in not yet in an iframe)
- it then redirects the user to the original URL (the one which has the iframe that calls your app again).
From now on (until the first cookie is on the client) you can use sessions and cookies even if you are hosted in an iframe because your application is now trusted.
I successfully solved the issue without using P3P.