Http sessions work but Https does not?? (IE cacheing bug?)

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
Slippy
Forum Contributor
Posts: 113
Joined: Sat Jul 12, 2003 11:31 pm
Location: Vancouver eh!

Http sessions work but Https does not?? (IE cacheing bug?)

Post by Slippy »

I'm using PHP 4.3x + Apache and testing with IE under W2K.

When I call pages using HTTP everything works fine, users can log in and
out, the data on the pages is always current.

When I call pages using HTTPS my log in session breaks. I can pull up
content under one user, log out and then back in as another user and see the
old user's content (not the current one). If I hit CTRL - Refresh (to
uncache and reload the page in IE), the page loads with the correct
information.

I am NOT using phplib, I have tried it, but I am getting the same results
(with allowcache = 'no').

Is there a <PROPER> fix for this?
m3rajk
DevNet Resident
Posts: 1191
Joined: Mon Jun 02, 2003 3:37 pm

Post by m3rajk »

http://us2.php.net/manual/en/function.header.php

and see: programming php by oreilly (isbn: 1565926102) pg 176-177
User avatar
Slippy
Forum Contributor
Posts: 113
Joined: Sat Jul 12, 2003 11:31 pm
Location: Vancouver eh!

Post by Slippy »

I took another look at it and I think I need to change the session_cache_limiter to "none" or "nocache" .. currently I have it set to "public" so that I can handle downloads out of a postgresql dB.

Code: Select all

if (isset($_SERVER&#1111;"HTTPS"])) &#123;
	 						 		session_cache_limiter('public');
	 								&#125;

							 session_start();
							 $_SESSION&#1111;'susername']=$susername;
							 $_SESSION&#1111;'spassword']=$spassword;
I guess I will need to check if the page is in "download mode" or not and handle it accordingly.

Thanks
Gen-ik
DevNet Resident
Posts: 1059
Joined: Mon Aug 12, 2002 7:08 pm
Location: London. UK.

Post by Gen-ik »

It's not an IE caching bug because I create an on-line store with sessions and it all worked fine... just make sure your https page(s) are on the same site as the http ones and it should work fine.
User avatar
Slippy
Forum Contributor
Posts: 113
Joined: Sat Jul 12, 2003 11:31 pm
Location: Vancouver eh!

Post by Slippy »

The whole site is one big custom PHP application (online school) and I have chosen to encrypt the entire thing using HTTPS. I have it rigged so that incoming https requests (port 443) go straight to the secure server and http (port 80) goes to a different server.

Okay, so I have working sessions with HTTPS if I remove the session_cache_limiter('public'); line from the code above... however that breaks the ability to download files across HTTPS using internet exploiter.

To download a file, I want to check the session for a valid user and to see if they are logged into the course where the file is stored. I want to do this so that I can ensure that they are in fact allowed to see that particular file. I figure I can check to see if https is being used (on the download files scripts only) and turn caching on just for downloading the file and hopefully that will work. This means that I will have to maintain a seperate piece of session checking code just to download files from the dB -- this needs to be maintained in a least 8 files (so far); so I think I will just make (yet another) include file.

As for the whole "Bug" thing; I was referring to the phenomenon described in the PHP manual (errata) @ http://php3.de/manual/en/function.sessi ... imiter.php (check the last comment) -- it's not really a bug; but a "feature" that Micro$oft implemented to keep sessions working with some of their other products. I guess I should call it a IE caching "catch 22" instead of a bug. :wink:

Thanks
Post Reply