Frame Based "redirects" and IE with Cookies

If you have a frame based redirect, and the content of the frame tries to set a cookie, a lot of the time IE will block the cookie. This is because IE uses P3P in order to tell if it should be allowed to set the cookie or not, so unless you set the P3P header IE will reject the cookie, and then any session based activity with in the site will stop functioning.

The solution, it turns out, is to serve a compact P3P policy in the headers returned, which can easily be added by apache's mod_headers with a simple line in the apache config:

Header add P3P 'CP="OURa"'

This basically states "Cookies from this domain are only used for our purposes, but you need to always accept them", which is perfectly valid for session cookies that aren't being logged anywhere.

For further information on the P3P specification see the W3 P3P pages.