security - IE 11 first-party session cookies being lost in iframe -

security - IE 11 first-party session cookies being lost in iframe -

we have site (www.example.com) sends users off series of 3rd party pages verify payment details, in iframe. initially, local page www.example.com loaded in iframe, , user redirected 3rd party url. 1 time 3rd party steps completed user, 302 redirected page on our site (www.example.com) within iframe.

this works in browsers we've tested except ie 11, our cookies appear lost. have checked under both windows 7 , 8.1, in both desktop , "metro" modes, , problem across versions.

when user browses our site set session cookie, correctly sent first-party page loaded in iframe. 1 time user has gone through third-party pages in iframe however, session cookie isn't sent next request.

if set ie 11's privacy setting lowest value, issue disappears , things work expected.

all potential solutions i've turned far have related p3p headers. have valid , right p3p header , xml policy file set up, , problem occurs in ie 11.

update: have few other cookies set using js. these persisting expected. differences expiry date (1 year js cookies, 1 month session cookie), domain (explicitly "example.com" js cookies, empty session cookie) , whether "http only" (false js cookies, true session cookie).

i have tried setting of these options per js cookies session cookie, made no difference.

update 2: after more testing have been unable create test case recreates problem. additional cookies seek testing in live code appear broken, if set same code js cookies work. in short; i've not yet found pattern cookies work , don't.

one potentially interesting thing note cookies aren't beingness deleted, they're not beingness sent final request. if page loaded, cookies magically reappear , sent; leads me believe bug surrounding iframes , p3p.

update 3 (day 3): ie 11's handling of cookies continues confound me. farther travel microsoft's labyrinth more lost become amongst shifting walls. , there ghosts in here. fragments of half-dreamt security policies have woven ethereal creature, tracks , taunts me @ every move. @ first frozen, terrified, aghast @ barely fathomable form darting out of sight, every passing hr gather more comfort mere knowledge of proximity. beast have been sent here confront? how slay companion in such times?

it bit hard reproduce issue. imagine issue has with:

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx or http://social.msdn.microsoft.com/forums/ie/en-us/dfe23464-e4bc-4892-9044-ff76deba03ba/internet-explorer-blocks-iframe-cookies?forum=iewebdevelopment

security internet-explorer iframe cookies cross-domain