CCaptcha + IE + Cookies

Hi all,

right now I’ve trouble with getting CCaptcha working in Internet Explorer 8 (but it shows my problem is not limited to this browser in principle).

My setup is the following (given, cannot be changed):

domain A: some html with contact form of domain B embedded in "deprecated" <iframe> structure

domain B: yii instance providing contact form with CCaptcha (like in blog demo)

Most default browser preferences (Firefox, Chrome, Safari) will not cause trouble with this setup. But with IE8 the entered (correct!) verifyCode is rejected. Only after it is once loaded with the “Get a new code” link the code will be accepted. Basically the problem seems to be that CCaptcha is using a client-side cookie(?). In the given setup the browser has to deal with a third-party cookie (client visits domain A, domain B wants to place the cookie). If I change the preferences in IE8 accordingly to accept all kinds of cookies there isn’t any problem any longer. Also, if I call the contact form directly from domain B, this is working as expected.

I would appreciate very much any ideas to overcome this problem!


Maybe configure the CHttpRequest component in your config/main.php file and set the cookie domain/prefix/expiration etc for your yii app ?

Also, i know that, IE hates having underscores in the cookie name, so try to avoid that too.

Btw, it doesn’t matter if you load that website via iframe, IE should be able to set the cookie just fine.


  • cookies are client-side, they are stored in the client browser.

  • if you set up your cookie params for both websites, then the risk of collision between the two is null, so you won’t have problems because of the cookies.


i can’t agree with that, because once I had the following problem.

It could be solved only with P3P Compact Policy header.

Hah, nice finding :)


thanks a lot! That’s working perfectly now. Where would you usually put this code? Right now i placed it in views/layouts/main.php … is there a better place?

Bests, Simon


you can put it before opening session, because session usually operates on cookies.

If you don’t want/need to extend classes try putting it before creating application in your index.php file.