I have a small php application running within an iframe, and have noticed that the session doesn't work in Internet Explorer 6 if the privacy setting is set at medium, but does work if the privacy setting is set at low. I think there's an issue with the cookie being a "third-party" cookie if it's in an iframe or something like that. Anyways, I would have thought that what would have happened in this case is that PHP would use the URL method of keeping track of session IDs instead of the cookie method. Also, session.use_trans_id in set to "On". Does anyone know why that URL method of session ID tracking doesn't automatically happen in this case?
iframe / sessions / cookies
EDITED:
I removed this post because I thought my sessions stopped working when setting use_cookies to 0, but I did something stupid so this post isn't relevant (though the message above is relevant)
I'm posting what I found out today regarding this whole issue. There's not much info out there on this right now, so hopefully this post will help someone.
One of the things that needs to be done (for IE6) when setting cookies (or simply using cookie sessions) from a page that's being called from an iframe is to setup a valid P3P policy file. The Policy file is an xml file named p3p.xml. There's some good information on the w3c site, and there's a validator at the following url: http://www.w3.org/P3P/validator.html
This is an excellent validator. It will look for a file at yoursite.com/w3c/p3p.xml. This is a "well-known" location for p3p files.
In addition to having a valid P3P file, you also must set a P3P header using PHP (or apache using mod_headers).
Here's the PHP I used to make it work.
header("P3P: CP=\"NOI DSP COR NID ADMa OPTa OUR NOR\" policyref=\"/w3c/p3p.xml\"");
I also added an html <link> head element on every page to link to the policy file
<link rel="P3Pv1" href="/w3c/p3p.xml">
There are some policy file writers out there, but I didn't want to spend the money and so I found an example p3p.xml file on another site and tailored it to my needs. After creating the policy file (xml), and your human readable policy page (html), make sure to validate the policy file using the tool on the w3c site.