Getting cookies values cross domain using jsonp not working for IE

Question

I am having trouble getting cookie information from domain A to domain B, using jsonp. I've got it working for Chrome and Firefox et al., but for IE it does not work. I am doing a jsonp request from domain B to domain A that sets a cookie there through php on domain A and then I do a check for that same cookie from B again. The information in the cookie is then printed to screen (domain A), so that I can pick that up from domain B and set a cookie there that mirrors that information (I am aware of the security risks, I am not trying to sync sensitive information here, just a setting).

So, as said, this is working on FF, Chrome etc. But on IE, I see that only session cookies are returned, which the cookie that I set isn't (and shouldn't be).

Any clue what's wrong here? Or isn't this even possible? I also briefly tried CORS, but that has the same problem.

I have the following test setup:

Domain A: (central domain)

login.php

<?php 
//below line solves the problem. See accepted answer
header('P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"');
setcookie("loggedin","5",time()+3600);
echo 1;

check.php

<?php
//below line solves the problem. See accepted answer
header('P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"');
$cookies = implode('; ', array_map(function ($v, $k) { return $k . '=' . $v; }, $_COOKIE, array_keys($_COOKIE)));

if(isset($_COOKIE['loggedin'])&&($_COOKIE['loggedin'] == "5")) {
        echo "alert('logged in, ".$cookies."');";
} else {
        echo "alert('not logged in, ".$cookies."');";
}

Domain B:

jsonp.html

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
        <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js"></script>
</head>
<body>
<h1>hi!</h1>
<script>
        jQuery.ajax({
                url: 'http://cookies.hidev.nl/login.php',
                dataType: 'jsonp',
                type: "get",
        });
        //note: first call will set the cookie, next succeeds only after reload due to async loading. This is only for test purposes
        jQuery.ajax({
                url: 'http://cookies.hidev.nl/check.php',
                dataType: 'jsonp',
                type: "get"
        });

</script>
</body>
</html>

Answer 1

In the end, this all came down to adding a p3p policy header to the scripts. For that I used the p3p hack used by facebook:

header('P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"'); 

An important thing to note is that I thought a P3P gave you access to cookies on another domain. That is not entirely true. You only have access to cookies that are also set with a P3P header. My live setup is a little more complex, and in some cases the cookies were set on domain A without a P3P and not via a secondary domain (like B in my example). In this case, I could not read the cookies from domain B.

I changed the example above to reflect the solution. Of course, change the text to something appropriate, and make sure you don't accidentially use words that are equivalent to the compact codes (e.g. LAW, NON etc.).

In my case I can do this, as we are only storing information client side, and we do not even know what it is ourselves. We are not storing any data.