Wednesday, October 14, 2009

Make Standard use of Cookie with Cookie Compact Privacy Policy (P3P)

Few days ago our QA team was testing a web site and found a bug. So they informed me that my page is not working properly. So I went over their desk and found that my page is not setting cookie on the QA's PC (which is Windows Vista). So I thought it might be some error in my code. So I tried to figure it out but I found the same page is setting cookie on other machines. Then I thought it might be some security issues and then I had come to know about the Cookie Compact Privacy Policy.

 

What is Cookie Compact Policy?

Cookie Compact Privacy Policy (also know as P3P) is a way to tell the browser about web sites' cookie policy. The policy describes what type of data web site is keeping in Cookie, how its using these data, how much time its keeping data in cookie etc. The cookie compact policy looks like:

IDC DSP COR CURa ADMa  OUR IND PHY ONL COM STA

Here each group of three character word has explanation that can be found here. To set this cookie policy there are few options you have. You can set the cookie policy from your asp.net page by adding the following tag in your page's header section (Usually master page).

<meta http-equiv="P3P" content='CP="IDC DSP COR CURa ADMa  OUR IND PHY ONL COM STA"'>

So all you need to now to define cookie policy for your company. You can define the cookie policy be going through the definition from here. Be sure your cookie policy reflects your real purpose. Say you collect personal data but your cookie policy doesn't specify that then you are anyway violating cookie policy and for which you may be charged (but I'm not sure how). You can find few Compact Policy builders. With these tools you can build P3P policy.

So now you can think if you ever need to concern about the P3P policy. If you think that users who will visit your site will have under heavy security (usually enterprise users have so) then there's a probability that your cookie without P3P Compact Policy will not work. So if your developing your site for enterprise/business users who will use the site for business applications then you should use Cookie Compact Policy. For web sites targeted for public users you may not need to care for Cookie policy. But it's always better to add P3P header to ensure you cookie works under browser protected mode.

 

How to find Cookie Compact Policy Related settings in IE?

If you go to Internet Explorer > Tools > Internet Options > Privacy, then you will find option on how IE will handle cookie as shown below:

image

If from any site cookie is blocked for any reason (most probably due to absence of P3P header) you will find the following icon in IE status bar.

image

Double clicking on the red icon you will get full report of blocked cookie. Clicking on the red eye you will find a report as shown below:

image

So make best and proper use of cookie in your site to make most compatibility with browsers.

No comments:

Post a Comment