View Full Version : Cookie problem when framing a secure page on an insecure page

04-24-2006, 08:05 PM
A third party website, non-ssl, is trying to create a page that frames my website, https://www.duat.com, but the session cookie that I generate when the user logs in is getting lost. This appears to be an IE-specific problem, Firefox doesn't have a problem with the cookie. Is there something IE-specific about a non-SSL site hosting a frames page that includes an SSL site? Additional info: if "https://www.duat.com" is added to IEs trusted sites list the problem goes away. Also, the problem goes away if the secured site hosts the frames page, instead of the non-secure site hosts it.

04-24-2006, 08:32 PM
Is it an option for you to use a frame buster? In other words, use javascript to break out of any frames that an external site wraps around your site? The code is out there and widely available, if that is useful to you.

04-24-2006, 08:49 PM
We actually had code in our HTTPS site to keep 3rd parties from framing our site, but we removed it because we WANT this 3rd party to frame us. The problem is that when they do frame us the session cookie we generate doesn't work, or something about the browser is not using the cookie as it should.

04-24-2006, 08:56 PM
I see. Bummer. Give this a shot: http://support.microsoft.com/default.aspx?scid=kb;en-us;323752