SOS: Internet Explorer issue with duplicate PHP Session ids
Posted: Mon May 19, 2008 11:34 pm
Hello, I have searched heavily for the answer to this issue, but haven't found anything useful.
I have a site with a logout.php script like this:
session_start();
session_unset(); // enough for FF
session_destroy(); // IE needs both unset and destroy
and the login.php script is more complicated:
/***** Multi-step Php session fixation fix *****/
session_start();
// We unset+destroy all session vars, and start-over (log-out basically)
session_unset(); // enough for FF
session_destroy(); // IE needs both unset and destroy
session_start();
// Generate new PHPSESSID to shrink session hijack possibility
// to capture/prediction from fixation.
session_regenerate_id();
The problem is that, very consistently (once every 4-5 attempts), when I click on logout, and try to login again, IE ends up having 2 PHPSESSIDs in the cookie: HTTP request header:
POST /login.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://www.test.com/loginonly
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: http://www.test.com
Content-Length: 68
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: __utma=261786520.302897073.1197649982.1211188880.1211192879.157; __utmz=261786520.1197649982.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=ohgecedjtb3og9ijkcvrvtmd20; __utmc=261786520; __utmb=261786520; PHPSESSID=8mftgsbi7pp91vo4gsmctsrma3
The 1st (from left) PHPSESSID is the old session id which should have been cleared on logout, while the 2nd on the right is the new session id regenerated on login. Unfortunately, PHP doesn't look at the 2nd one at all, and considers the 1st one "Logged out" or "doesnt exist".. The user essentially stays logged out. The only way to login at that point is to close and reopen the browser.
Please let me know how I can resolve this issue.. I have tried too many things, and it just isnt helping.
I found just one post on the Internet with a similar/same issue: http://drupal.org/node/87372#comment-453823 but there was no reply to it.
Thanks in advance,
Vinay.
I have a site with a logout.php script like this:
session_start();
session_unset(); // enough for FF
session_destroy(); // IE needs both unset and destroy
and the login.php script is more complicated:
/***** Multi-step Php session fixation fix *****/
session_start();
// We unset+destroy all session vars, and start-over (log-out basically)
session_unset(); // enough for FF
session_destroy(); // IE needs both unset and destroy
session_start();
// Generate new PHPSESSID to shrink session hijack possibility
// to capture/prediction from fixation.
session_regenerate_id();
The problem is that, very consistently (once every 4-5 attempts), when I click on logout, and try to login again, IE ends up having 2 PHPSESSIDs in the cookie: HTTP request header:
POST /login.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://www.test.com/loginonly
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: http://www.test.com
Content-Length: 68
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: __utma=261786520.302897073.1197649982.1211188880.1211192879.157; __utmz=261786520.1197649982.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=ohgecedjtb3og9ijkcvrvtmd20; __utmc=261786520; __utmb=261786520; PHPSESSID=8mftgsbi7pp91vo4gsmctsrma3
The 1st (from left) PHPSESSID is the old session id which should have been cleared on logout, while the 2nd on the right is the new session id regenerated on login. Unfortunately, PHP doesn't look at the 2nd one at all, and considers the 1st one "Logged out" or "doesnt exist".. The user essentially stays logged out. The only way to login at that point is to close and reopen the browser.
Please let me know how I can resolve this issue.. I have tried too many things, and it just isnt helping.
I found just one post on the Internet with a similar/same issue: http://drupal.org/node/87372#comment-453823 but there was no reply to it.
Thanks in advance,
Vinay.