PHP Session / Cookie in Frames Using Internet Explorer

For the last couple hours, I’ve been frustrated trying to figure out why I’m having an issue creating a session cookie with PHP while browsing with Internet Explorer.  This was testing some software for work that I wrote, or I wouldn’t have been using Internet Explorer emoticon.

Here is the problem that I ran into.  There is a master page that is being ran on a seperate server than the one that will be displaying this content.  The master page displays my servers content in one of the child frames.  When using internet explorer with the default privacy setting, Medium, I am not able to create a session due to the fact that a cookie will not be accepted by Internet Explorer.

I have found a solution to this problem.  The situation is that when the frame has been created by one server, and the child frame then loads content from a second server, Internet Explorer treats all cookies from the second server (in the child frame) as 3rd party cookies.  Under the Medium privacy level, cookies are not allowed from the secondary server because Internet Explorer "Blocks third-party cookies that do not have a compact privacy policy".  To fix this problem, a compact privacy policy must be added to the headers sent to the client before a cookie is attempted to be created.  The quick way is to just send this string in a header to the client ‘P3P: CP="CAO PSA OUR"’.  To get a better understanding of a compact privacy policy, you can go to  There is a bunch of commercial software out there to help you create fully detailed compact privacy policies, or you can use the free one that I found at

One thing to note is that this issue does not only occur with PHP.  Just happens that’s what I was developing with when I found the issue.  It will occur with any development language that tries to create cookies in the situation where a compact privacy policy does not exist, internet explorer is set on medium privacy level, and a frame page served by one server loads a child frame from another server. 

Leave a comment ?


  1. crnbrdeater

    I realize this is an older post but thanks anyway. You just saved me a bunch of time.

  2. Thanks a lot! This really saved me from redoing a lot of work! 😀

  3. hmmm,, thats where i got stuck
    Thanks alot James,
    you saved my life =]

  4. heron silva

    (trying again without html chars)


    header(‘P3P: CP=”CAO PSA OUR”‘);


  5. On a different website I found this for PHP:


    Just add it in the beginning of the page where the cookies are send out.


  6. You have saved my life! LOL. Great!!!

  7. Thank you. I lost many time for fix this but you did it.


    work fine for me

  8. I LOVE YOU!!!!!!!!!!!!!!!!!!!!!!!!

  9. Oh my God!!!
    Thank you James! Really!!
    I must invite you some day 🙂

  10. Thank you!!Thank you!!Thank you!!

    I could treat you if you were nearby 😉

  11. Thanks!
    I added this to the sites custom host headers (IIS Manager) and it worked great.

  12. THANK YOU!!! I had been searching for the solution to this problem for ages, and finally found it!! You saved me so much time & more frustration! THANK YOU THANK YOU

  13. Thank you very much!
    It solved my problem

  14. Thank you!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

  15. Yeps ! Thanxz !


  16. I tried this and it worked: session_cache_limiter (‘private, must-revalidate’);

  17. Like others , many thanks.

  18. Thank you so much! the header thing really really saved me from trying probably a ton of work arounds!!!!!!

  19. Thank you so much for taking the time to share this piece of information. I had a deadline today and you saved the day, and my life I think. Thanks for all that you do!!!!

  20. this just saved my rear! thanks

  21. thank you that’s great, and this page is the first one when you search google for: “php session explorer”.

  22. If you ever would like to have a beer, take a plane over to Stavanger, Norway, and I’ll buy you 🙂
    Thanks man!

  23. Thanks James,

    This was a real life-saver.

  24. Thanks, you just saved me a ton of work!

  25. Thanks a lot…..
    I tried it on local for framed site and it worked fine.
    Thanks a lot once agian..

  26. thanks a lot…

  27. Hi,

    Thank’s a lot for the help!! It helped me along the way. Since we use .NET we couldn’t use the exact same solution, but i found another solution that works with .NET:


  28. Thanks a lot…
    at last this issue is fixed !
    (i hate IE)

  29. Thank you for your post. You save my life!! I waste 5 hours trying to solve this problem. Thankyou very much!

  30. Man! You’re my hero! you saved me!!!!

  31. Sergio Nate

    Thank you a lot!
    Your effort to share this info saved me from days of research.

  32. Unbeleivable ! Off and on for 3 or 4 days I have been struggling with this. I could not find and p3p info that helped me or forced me to read volumes of info. I simply wanted my session cookie to be readable when my site is loaded in an iFrame — how our partners license our product.

    Isak’s link pointed me to the solution for my .net app.

    Thank you !!

  33. Use this!

  34. Thanks for posting your solution! This was a real nightmare before I found this page. :o)

  35. Hello,

    I am a complete novice regarding the use of session cookies of a website loaded in an iFrame. Actually to everything that has to do with programming (I’m more of a designer). I think that I came across the same problem as you guys and since I lack the experience I could really use some directions, here goes..

    At the moment I’ve got a page that is loading different pages(from other websites, not owned by me) through iFrames. Now, I’d like the user visiting my site to receive cookies from those
    ‘3rd’ party sites loaded within the iFrames.

    I’m also not sure if the code suggested will work in my situation, hopefully it does! Good to have read it worked
    for you guys though.

    My main question therefore is, where does that snippet of code go? I’ve got a simple .html page with iFrames, but it doesn’t work no matter where I put the code.

    Perhaps I need a different type of page, or is there a way around this or am I missing some vital coding?

    I’ve done some fair research and came across some programs that can generate a compact policy for me fit for my page’s purpose. Also I read that I have to configure my server for p3p. Is this all nesecairy? And if so, could someone bring up the patience and time to explain how?

    I hope you can help me with this problem.

    Kindest regards,


  36. Dimith de Alwis

    Many thanks.. Amazing! Solved the problem for me and saved my project..

  37. I’ll add my voice to the chorus of thanks.

    Worth noting that my problem was actually relating to URL forwarding, which makes use of frames (I think). My session-reliant login system failed utterly under IE but worked on Firefox, until I added the new header. Worked like magic.


  38. People have been banging thier heads over this problem for the last couple of days…

    Thanks for posting up such concise explanation and solution.

    Isn’t the the internet great?

  39. Man, you rock.. I was going nuts figuring out why sessions don’t work in IE but they do in firefox. Adding just header(‘P3P: CP=”CAO PSA OUR”‘); to top of code got it going.. Great… Thanks a bunch.

  40. thanks alot for this fix, saved my bacon

  41. Thanks a ton for that fix!

  42. Hmmm…I don’t usually comment on a 3-year old post, but it seems that people are still finding this (I did).

    The problem is not just on IE, and using the P3P header won’t necessarily fix this on IE.

    On Firefox, you will get the same problem if the user blocks 3rd-party cookies. On IE, you will get the problem. even with the compact privacy policy, if the user blocks all 3rd-party cookies (requires using the Advanced option on the Privacy tab).

    I’m still hunting for a solution.

  43. Thanks man! You are the one!

  44. Thanks man, this post almost saved my life, I’m starting to love you! 😛

  45. Craig James

    Let me add to the chorus: Thank You! There are still copies of IE6 floating around out there, and a major customer is using them. Your post saved me a lot of time.


    Just paste it on the first php file that is called by the iframe

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>