Page 1 of 1
losing session variables on switch to https:
Posted: Thu Jan 15, 2004 3:29 pm
by Unipus
At least, I believe that's what's happening. I haven't figured out how to replicate it myself on ANY of our own machines, or my own home... but a percentage of my users are having the problem, using similar setups to those we have here. The only consistent difference I can detect is that many of them seem to be using Windows XP, whereas all of our machines use Win2000. Nothing unusual about these peoples' security settings, etc.
Anyway, does anyone know WHY this would happen? Is it a server setting? Client setting? Is it an issue with the actual certificate itself? The physical server is not changing, but the protocol is, and as soon as that switch happens, people are losing data. Rather bad, it is.
Posted: Thu Jan 15, 2004 5:21 pm
by Unipus
Posted: Fri Jan 16, 2004 9:30 am
by Roja
The most important question is whether they are maintaining the session cookie.
In all likelihood, when you switch from http to https, the domain on the cookie (not to mention the secure/not-secure setting in the cookie) is changing.
Not only that, but in IE5.5sp2 and above (including IE6 on XP), IE wisely refuses to let you set third-party cookies.
In other words, site A - the HTTP site - says "here is a session cookie for site B", and IE says "go stuff yourself".
There are a number of reasons for that, all related to security.
The point is, you need to ensure that the session cookie gets set once they transition to the https side.
Posted: Fri Jan 16, 2004 12:41 pm
by Unipus
Well, that all makes sense, but the question is: how? How do I set up the new session variables with the same values as the old? And why is this only happening on SOME instances of IE6?
Posted: Fri Jan 16, 2004 1:53 pm
by Roja
Unipus wrote:Well, that all makes sense, but the question is: how? How do I set up the new session variables with the same values as the old?
Unfortunately, I'm not sure. I'll admit that I've only done a handfull of https programming with sessions, and they all occured IN https.
Unipus wrote:
And why is this only happening on SOME instances of IE6?
Because some may have over-ridden the defaults which block third-party cookies. (cross-site cookies).
Others may be running older (not IE6, more like IE5) versions that dont have that protection.
Posted: Fri Jan 16, 2004 2:14 pm
by Unipus
Nope. It's actually happening on similarly configured, IDENTICAL versions of the same browser (6.0.2800.1106). That's the part that makes me all confusedy... I'm still not sure where the problem really lies.
Posted: Fri Jan 16, 2004 2:34 pm
by Roja
Unipus wrote:Nope. It's actually happening on similarly configured, IDENTICAL versions of the same browser (6.0.2800.1106). That's the part that makes me all confusedy... I'm still not sure where the problem really lies.
Then perhaps it is a DNS issue - they may be resolving the DNS entries differently. Cookies work via DNS/domain, so check the NS resolution on each to see if they resolve the http/https domain differently.
Posted: Fri Jan 16, 2004 2:45 pm
by Unipus
Aha. It appears to be
an incredibly disparaging bug in PHP itself. That's somewhat reassuring, but also very worrisome. [/url]
Posted: Fri Jan 16, 2004 3:37 pm
by Roja
Ah. I completely misunderstood - I thought you were losing the session ITSELF.
Many apologies.
Posted: Fri Jan 16, 2004 6:16 pm
by Unipus
No, the session is maintained, as (I'm not actually sure about this, I might have to test it) are other variables. But this array is getting nulled out... exactly the same thing that's happening to these other people.
They say they fixed it, but that doesn't seem to be the case. Grr.