A few days ago, our QA team was testing a web site and found a bug. So they informed me that my page is not working properly. So I went over to their desk and found that my page is not setting a cookie on the QA's PC (which is running Windows Vista). So I thought it might be some error in my code. I tried to figure it out, but I found the same page is setting a cookie on other machines. Then I thought it might be some security issue and I came to know about the Cookie Compact Privacy Policy.
What is the Cookie Compact Policy?
Cookie Compact Privacy Policy (also know as P3P) is a way to tell the browser about web sites' cookie policy. The policy describes what type of data web site is keeping in Cookie, how it's using this data, how much time it's keeping data in the cookie, etc. The cookie compact policy looks like:
IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA
Here each group of three character word has an explanation that can be found here. To set this cookie policy, there are few options you have. You can set the cookie policy from your ASP.NET page by adding the following tag in your page's header section (usually master page).
<meta http-equiv="P3P" content='CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"'>
So all you need now is to define the cookie policy for your company. You can define the cookie policy be going through the definition from here. Be sure your cookie policy reflects your real purpose. Say you collect personal data but your cookie policy doesn't specify that then you are anyway violating cookie policy and for which you may be charged (but I'm not sure how). You can find few Compact Policy builders. With these tools, you can build P3P policy.
So now you can think if you are ever concerned about the P3P policy. If you think that users who will visit your site will be under heavy security (usually enterprise users have so) then there's a probability that your cookie without P3P Compact Policy will not work. So if you are developing your site for enterprise/business users who will use the site for business applications, then you should use Cookie Compact Policy. For web sites targeted for public users, you may not need to care for Cookie policy. But it's always better to add P3P header to ensure your cookie works under browser protected mode.
How to Find Cookie Compact Policy Related Settings in Internet Explorer?
If you go to Internet Explorer > Tools > Internet Options > Privacy, then you will find an option on how Internet Explorer will handle cookie as shown below:
If from any site cookie is blocked for any reason (most probably due to absence of P3P header), you will find the following icon in the IE status bar.
Double clicking on the red icon, you will get a full report of the blocked cookie. Clicking on the red eye, you will find a report as shown below:
So make best and proper use of a cookie in your site to make it most compatible with browsers.
CodeProject