Avoid using iframe for performance reasons, read more @
http://www.stevesouders.com/blog/2009/06/03/using-iframes-sparingly/
Using this in some places can not be avoided like if we want to access an https url from a http page which is not accepted. So for handling authentication on AJAX from a http page needs a blank iframe with action to https page and method attribute. AJAX request will be submitted to iframe (intern https url, can be .net generic handler) and on server set the cookies and return the blank response to iframe and on window onload event of iframe we can do neccessary changes on parent page by directly accessing cookies through javascript to know authentication success or failure.