SSL, P3P & Cookies.

[Matt Smith]

Please oh please oh please can someone with some P3P knowledge help me out?

I'm aware that this isn't strictly an ASP or IIS issue but the SSL groups
listed on my news server appear abandoned and since I've been coming to
these groups I'm sure I've seen many people ask and answer SSL related
questions. So here goes:

I've recently had a shared SSL enabled for my site to use, but am having
enormous difficulty in incorporating it into my program.
Having found that IE was blocking my cookies, I set about creating a P3P
compatible privacy policy using the IBM policy creator
([url]http://www.alphaworks.ibm.com/tech/p3peditor[/url]). Uploaded the generated
policy and associated written documents to the unsecure area of my website.
Linked the policy to my data gathering page with a <LINK rel="P3Pv1"
href=http://etc../p3p.xml>. Got a Compact Policy, haven't a clue what to do
with it :(
The results are not satisfactory.

Page in SSL location loads, attempts to use Session variables, which I
assume attempts to store a temporary cookie. IE shows an eye and no-entry
sign privacy report. Privacy report says that one or more cookies was
blocked and names it. Summary report gets the relevant P3P policy (i think).
The policy includes methods that i thought would enable cookie usage:
Policy 1 contains a <STATEMENT> tag specifying:
<DATA-GROUP>
<DATA ref="#dynamic.cookies"><CATEGORIES><state/></CATEGORIES></DATA>
</DATA GROUP>

and P3P.xml (located in root of non-secure url, pointed at by page in secure
url.) contains a <POLICY-REFERENCES> tag specifying:
<POLICY-REF about="policy1.xml">
<INCLUDE>/*</INCLUDE>
<COOKIE-INCLUDE/>
</POLICY-REF>
also tried specifying <COOKIE-INCLUDE name="*" value="*" domain="*"
path="*"/>
Result: No change. Tried all kinds of things with that CP string. No
noticable changes so shan't list attempts. If you know how to use it (in
html or asp) please advise me.

Does anyone know how to make my site use its cookies? !!!

Many thanks to anyone who tries ;)

Matt Smith

[Matt Smith]

For anyone reading this and thinking "That's my problem too. Why did no one
answer him and was it ever solved?"

That CP string I didn't know what to do with gets put in an HTTP header.
(Fair enough. Everyone tells you that.)

Response.AddHeader "P3P", """CP=put that cp string here""
policyref=""http://www.location of p3p.xml"""

<POLICY-REF about="policy1.xml">
Needs a # indicated reference to
<POLICY name="Policy_Name" etc>
in Policy1.xml
e.g
<POLICY-REF about="policy1.xml#Policy_Name">
Thanks to the P3P validator for it's most unhelpful error messages on that.

Most importantly:
I.E 6 blocks cookies that are considered 'unsatisfactory'. Basically this
means "where the purpose/recipient token does not contain the optional
attribute, "i" or "o." "
([url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpriv/htm[/url]
l/ie6privacyfeature.asp). This document is the pitfall. If you're
experiencing troubles like this with IE. Read it carefully.

Matt Smith
P.S I'm off to model some voodoo dolls of W3C promoters and stick them on
the barbeque.