Just when you think you’ve seen every frustrating browser issue a webmaster can hope to be frustrated by… another is sure to come along.
The site uses HTML hosted on a virtual domain at earthlink and database data coming from phpwebhosting.com, all married together in a frameset. Login authentication is handled via PHP sessions.
So why weren’t any logins working from IE6? This one took quite a while to figure out.
First of all, PHP sessions are really just a simplified wrapper for a specialized form of cookie. So start with the realization that cookies aren’t getting planted even though cookies are enabled in the browser.
IE6 has a cookie tolerance slider that defaults to Medium. On the Medium setting,
Finally, I find the deployment answer in a PHP forum. It turns out that this problem affects my site only because it pulls data from two different sources. A user at php.net writes:
“MSIE 6 has an inaccurate definition of third party cookies. If your domain is hosted on one server and your PHP stuff is on another, the IE6 P3P implementation considers any cookies sent from the second machine “third party”. Third party cookies will be blocked automatically in most privacy settings if not accompanied by what MS considers “an appropriate Compact Policy”. In order to make this new piece of tweakable garbage happy I’d suggest you’d par exemple send
header(’P3P: CP=”NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM”‘);
before sending your cookie from your second machine. This header enables your cookie to survive any privacy setting.”
So in the end I went to privacycouncil.com and filled out the wizard, which generated a CPC similar to the one above, and started spitting it back to the browser from the top of the site’s authentication code.