|MySQL Conference and Expo April 14-17, 2008, Santa Clara, CA|
Help! IE6 Is Blocking My Cookies
How Do I P3P Enable My Web Site and Use Compact Policies?
In Web Privacy with P3P I describe the process of P3P-enabling a Web site in seven steps. Here is a summary of this process:
I P3P-Enabled My Site, But My Cookies are Still Being Blocked by IE6
There are several reasons why this may happen. It may take a little detective work to solve the problem, but usually it is solvable.
Most often, the problem is that the Web server is not actually issuing the P3P compact policy with the set-cookie responses. In some cases, it may be issuing the compact policy with some set-cookie responses, but not with others. You can use the W3C P3P Validator to check whether the compact policy is being issued. Fixing this problem depends on your particular server and how the cookie is being set.
Sometimes the problem is that the compact policy is not syntactically correct. This is easily checked with the W3C P3P Validator.
In other cases, the compact policy is correct, but it does not meet IE6's qualifications as a satisfactory policy. The P3P Policy Editor provides information about whether a compact policy is considered satisfactory. Some of the Web-based compact policy tools listed on the W3C Web site also provide this information. If your compact policy is not satisfactory, you may need to change your site's data practices. Generally, this involves providing a way for users to opt out of having their data used in certain ways. Sometimes cookies are blocked only when users change the IE6 default cookie settings. In this case, a user has selected more stringent criteria for cookie blocking. Again, you can change your practices to meet these criteria. However, this is not always possible. You should make sure your applications at least fail gracefully in cases where your cookies are blocked. Ideally, your applications will be able to operate (at least partially) without cookies, or they will notify the user that cookies are required and provide instructions for overriding the blocking.
I have seen a few cases where P3P-enabling a site solves the cookie-blocking problem, but the developer who is testing the site doesn't realize this, because their browser has stored old cookies that are still being blocked. If all else fails, try removing your site's cookies from your computer (or even deleting all of your cookies) and restarting your browser to see whether the new cookies are still being blocked.
My Cookies aren't being Blocked, But Users are Not Able to View an IE6 Privacy Report for My Site
Usually this occurs when a site has not been properly P3P-enabled. In order for a privacy report to display the site must be properly P3P-enabled with a full P3P policy and policy reference file. The first thing you should do is use the W3C Validator to make sure there are no syntax errors in these files and verify that they have been placed in the proper location on your Web server. If the Privacy Report is available from some pages on your site but not others, then you probably have a problem with your policy reference file. Chapter 8, "Creating and Referencing Policy Reference Files," of Web Privacy with P3P gives detailed information about policy reference files.
O'Reilly & Associates recently released (September 2002) Web Privacy with P3P.
Lorrie Faith Cranor is an Associate Research Professor in the School of Computer Science and in the Engineering and Public Policy Department at Carnegie Mellon University. She is director of the CMU Usable Privacy and Security Laboratory (CUPS). She came to CMU in December 2003 after seven years at AT&T Labs-Research.
Return to the Web Development DevCenter.