[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 612
  • Last Modified:

Session Variables Lost (IE only)

Hey y'all,

I can't maintain session variables in IE on an intranet site running Apache 2.0, PHP 5.
This intranet site is a dev site for a soon to be production site.
Mozilla, Opera, Firefox ALL work.
For security reasons, the session variables must be stored in a cookie.  
The cookie never gets set.

Any ideas?

Bob.
0
BillyBoJimBob
Asked:
BillyBoJimBob
  • 8
  • 6
  • 2
  • +1
1 Solution
 
caterham_wwwCommented:
Hi,
did you already check the security and privacy settings in IE? For IE 6 go to Extras --> internet options  and click on the tab 'Privacy'. The value should be set to "medium" or "low". Or allow cookies for your domain by clicking on the button "Advanced" below and add your domain.

For IE 5 check Extras -->  internet options -> security -- Enable Cookies

Robert
0
 
ahoffmannCommented:
How do you set the cookie?
Best is to use a sniffer or proxy to see the HTTP header send to the browser
in mozilla, firefox you can install the LiveHTTPheader extension for that
0
 
BillyBoJimBobAuthor Commented:
caterham_www:
All cookies allowed in IE6.  The cookie is just not getting created in IE, but does in Mozilla, Opera, and Firefox.

ahoffmann:
Cookies set in php using $_COOKIE
Sniffer used: IECookiesView (http://www.nirsoft.net/utils/iecookies.html).
IECookiesView verifies cookie is not getting created.

Bob.
0
[Webinar] Improve your customer journey

A positive customer journey is important in attracting and retaining business. To improve this experience, you can use Google Maps APIs to increase checkout conversions, boost user engagement, and optimize order fulfillment. Learn how in this webinar presented by Dito.

 
BillyBoJimBobAuthor Commented:
Cookies are used to handle session.
Variable used: $_SESSION, not $_COOKIE.

IE http header sniffer used: ieHTTPHeaders (http://www.blunck.info/iehttpheaders.html).

Bob.
0
 
BillyBoJimBobAuthor Commented:
Here's the header information:

Mozilla:

POST /form/login.php HTTP/1.1
Host: csi_dev.csint.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20041001 Firefox/0.10.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://csi_dev.csint.com/dealer/
Cookie: PHPSESSID=orvskt44jp9ec9iiphroh06rn0
Content-Type: application/x-www-form-urlencoded
Content-Length: 81
login=1&target=%2Findex.php&username=myusername&password=mypassword


HTTP/1.x 302 Found
Date: Wed, 09 Mar 2005 17:19:03 GMT
Server: Apache/2.0.53 (Win32) mod_ssl/2.0.53 OpenSSL/0.9.7e PHP/5.0.3
X-Powered-By: PHP/5.0.3
Set-Cookie: PHPSESSID=orvskt44jp9ec9iiphroh06rn0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: https://csi_dev.csint.com/index.php
P3P: CP="NON ADMa OUR NOR UNI"
Content-Length: 0
Keep-Alive: timeout=15, max=77
Connection: Keep-Alive
Content-Type: text/html
----------------------------------------------------------
https://csi_dev.csint.com/dealer/index.php

GET /dealer/index.php HTTP/1.1
Host: csi_dev.csint.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20041001 Firefox/0.10.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://csi_dev.csint.com/
Cookie: PHPSESSID=orvskt44jp9ec9iiphroh06rn0

----------------------------------------------------------




IE Header:

POST /form/login.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: https://csi_dev.csint.com/dealer/
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: csi_dev.csint.com
Content-Length: 81
Connection: Keep-Alive
Cache-Control: no-cache

login=1&target=%2Findex.php&username=myusername&password=mypassword

HTTP/1.1 302 Found
Date: Wed, 09 Mar 2005 17:08:03 GMT
Server: Apache/2.0.53 (Win32) mod_ssl/2.0.53 OpenSSL/0.9.7e PHP/5.0.3
X-Powered-By: PHP/5.0.3
Set-Cookie: PHPSESSID=evsdb57s7ljdaq3bp6ndb3kkg1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: https://csi_dev.csint.com/index.php
P3P: CP="NON ADMa OUR NOR UNI"
Content-Length: 0
Connection: close
Content-Type: text/html

GET /dealer/index.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: https://csi_dev.csint.com/dealer/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: csi_dev.csint.com
Connection: Keep-Alive
Cache-Control: no-cache


Why doesn't IE keep the cookie that was set?

Bob.
0
 
ahoffmannCommented:
LOL

> Set-Cookie: PHPSESSID=evsdb57s7ljdaq3bp6ndb3kkg1; path=/
> Expires: Thu, 19 Nov 1981 08:52:00 GMT

why should IE use that cookie? it expired 20 years ago ;-)
You may consider this a bug in mozilla

Also: your "Expire: " apears as a separate line in the header, if this is the truth the bug is in IE not mozilla (where mozilla silentliy ignores the unknown Expire header)
Please veryfy if the Expire is in the same line (no newline and/or carriage return) as the Set-Cookie.
0
 
BillyBoJimBobAuthor Commented:
I'm not controlling the header, that's what PHP sends to establish a cookie that is destroyed when the browser is closed.
The session closes when the browser does.

I have the same setup on another server, and the expire line is identical and it WORKS with IE.

{:> (hair falling out)

Bob.
0
 
BillyBoJimBobAuthor Commented:
This appears to be more a PHP problem than an apache server problem.

Bob.
0
 
ahoffmannCommented:
I'd use a sniffer and check the traffic, it's realy important how the header looks like, IE is a bit picky here ..
0
 
BillyBoJimBobAuthor Commented:
>> I'd use a sniffer and check the traffic
httpheadersniffer,cookiesniffer,packetsniffer?

Bob.
0
 
ahoffmannCommented:
tcpdump, ethereal .. could be on client or server side (assuming that routers don't change anything)
0
 
BillyBoJimBobAuthor Commented:
What am I looking for?
0
 
ahoffmannCommented:
only the HTTP-header, in particular the Set-Cookie: line in the response
0
 
ahoffmannCommented:
damn, my comment in http:#13498620 is wrong, sorry
the HTTP header is ok, the Expire is the expire header for the page itself

same problem in PHP TA, see also: http:/Q_21345910.html
0
 
caterham_wwwCommented:
> All cookies allowed in IE6.  The cookie is just not getting created in IE, but does in Mozilla, Opera, and Firefox.

Did you also try
> clicking on the button "Advanced" below and add your domain.
?
try to add/allow your domain there. I don't think that this would work, but have a try on it...
see also http:Q_21347545.html
0
 
armeenCommented:
the cookies are rejected because of the underscore in the server name, remove it and you it should start working.
0
 
BillyBoJimBobAuthor Commented:
Armeen,

That did it.

I can't believe it was such an "easy" fix.

Thanks,
Bob.
0
 
armeenCommented:
cool, it's annoying, I know microsoft have a kb article but when the security patch first made the change a serious amount of people were affected by this and they didn't really make a big deal of telling people.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 8
  • 6
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now