Page 1 of 1

Http sessions work but Https does not?? (IE cacheing bug?)

Posted: Sat Jul 12, 2003 11:31 pm
by Slippy
I'm using PHP 4.3x + Apache and testing with IE under W2K.

When I call pages using HTTP everything works fine, users can log in and
out, the data on the pages is always current.

When I call pages using HTTPS my log in session breaks. I can pull up
content under one user, log out and then back in as another user and see the
old user's content (not the current one). If I hit CTRL - Refresh (to
uncache and reload the page in IE), the page loads with the correct
information.

I am NOT using phplib, I have tried it, but I am getting the same results
(with allowcache = 'no').

Is there a <PROPER> fix for this?

Posted: Sun Jul 13, 2003 8:23 am
by m3rajk
http://us2.php.net/manual/en/function.header.php

and see: programming php by oreilly (isbn: 1565926102) pg 176-177

Posted: Sun Jul 13, 2003 10:08 am
by Slippy
I took another look at it and I think I need to change the session_cache_limiter to "none" or "nocache" .. currently I have it set to "public" so that I can handle downloads out of a postgresql dB.

Code: Select all

if (isset($_SERVER&#1111;"HTTPS"])) &#123;
	 						 		session_cache_limiter('public');
	 								&#125;

							 session_start();
							 $_SESSION&#1111;'susername']=$susername;
							 $_SESSION&#1111;'spassword']=$spassword;
I guess I will need to check if the page is in "download mode" or not and handle it accordingly.

Thanks

Posted: Sun Jul 13, 2003 1:22 pm
by Gen-ik
It's not an IE caching bug because I create an on-line store with sessions and it all worked fine... just make sure your https page(s) are on the same site as the http ones and it should work fine.

Posted: Sun Jul 13, 2003 3:23 pm
by Slippy
The whole site is one big custom PHP application (online school) and I have chosen to encrypt the entire thing using HTTPS. I have it rigged so that incoming https requests (port 443) go straight to the secure server and http (port 80) goes to a different server.

Okay, so I have working sessions with HTTPS if I remove the session_cache_limiter('public'); line from the code above... however that breaks the ability to download files across HTTPS using internet exploiter.

To download a file, I want to check the session for a valid user and to see if they are logged into the course where the file is stored. I want to do this so that I can ensure that they are in fact allowed to see that particular file. I figure I can check to see if https is being used (on the download files scripts only) and turn caching on just for downloading the file and hopefully that will work. This means that I will have to maintain a seperate piece of session checking code just to download files from the dB -- this needs to be maintained in a least 8 files (so far); so I think I will just make (yet another) include file.

As for the whole "Bug" thing; I was referring to the phenomenon described in the PHP manual (errata) @ http://php3.de/manual/en/function.sessi ... imiter.php (check the last comment) -- it's not really a bug; but a "feature" that Micro$oft implemented to keep sessions working with some of their other products. I guess I should call it a IE caching "catch 22" instead of a bug. :wink:

Thanks