The Problem
Q: Why "make sure to implement P3P if using iframes" ?
A: If your application is inside iframe with parent belongs to another domain - cookies will not work for some very common configurations for example IE 6/7 with privacy set to medium. If cookies don't work - session won't work.
Therefore session state turns out useless for your application under Internet Explorer. See - Privacy in Internet Explorer 6.
This is relevant when domain that hosts iframe is different from parent domain. Because of the fact that this is not very common scenario - only a few familiar with the solution.
The Solution
Solution - need to implement P3P header to tell the browser that cookies for your application inside iframe are OK for user privacy.
So, ASP.NET implementation may look like the following (global.asax):
protected void Application_BeginRequest(Object sender, EventArgs e)
{
//
HttpContext.Current.Response.AddHeader("p3p", "CP=\"CAO PSA OUR\"");
}