Strange behavior with popups in IE inside an iframe

Strange behavior with popups in IE inside an iframe

We're having a very unusual situation. Here is the scenario:

1. Page is designed to be viewed by users who are not logged in.
2. If the try to do some things on the page, a Popup Editor is used to bring up a login page. The "On Notify" of the Popup Editor then takes the necessary actions.
3. The server is behind a load balancer, which uses a session system to refer requests from the same client to the same server.

When this page is brought up by itself in IE, it works fine, even in our Production environment. When the page is put inside an iframe (its intended use: we are giving our users the ability to embed the page into their own Web sites) and the page with the iframe is saved to a local file and opened in IE, it works fine. When that file is put on a remote server, it does NOT work right. In fact, I have confirmed on that every popup on this page is treated as an entirely separate session by IE on this page when opened in an iframe on a remote Web server, and that these problems do not seem to exist when the iframe points to our Dev server instead of the Production Web server.

Any thoughts? Is this a bug in Popup Editor? I think it is. I get the very strong feeling that it needs to be adding the Session Id to the popup screen to ensure that it stays in the same session. If not, what is my workaround? So far, I have three ideas:

1. Make a system to create temporary login tokens: the popup gets a random, 25 character token value which says "this is who logged in" and sends it through the Popup Notify; the parent page receives that, looks up the user, performs a Login against the user, deletes the token, and does the necessary work. Is there a potential security issue here?

2. Stop using the popups, and redirect the user to a login screen, then return them to the intended page after login.

3. Find a way to manually pass the session details around. I could do the login, pass the session ID back in the Popup Notify, and then combine GetBookmarkableURL() and the received session ID to reload the parent page with the logged in session token.


Hi J.Ja,

In the order I'd check:

1. IE9 tends to show internal webpages in the "Compatibility mode".
This is an issue we've had.

2. A internal proxy server (might be an issue)

3. A caching server (perhaps NGINX is placed after the Platform server?)

4. The Firewall / Popup blocker etc. system might think of the popup as some kind of cross-site-script since it's in an iFrame.
By the way; I reported an issue of the popup showing restricted to the width of the iFrame. Outsystems support told me it was 'working as designed'. Sounding a bit like: "It's not a bug; it's a feature". No changes / reports to R&D done though. :(
It turns out (BIG THANKS to Acacio at OutSystems support!) that the issue was that we weren't using a P3P policy, so IE's privacy settings were blocking the cookies. Lesson learned!

Hi Justin,
Thank you for sharing the explanation given by Acácio.
I'm sure that this information will be very useful in the future for some community members.

Kind Regards,
Gonçalo M.
Thanks for sharing that outcome!