Firefox loses session switching to SSL mode!! Pls help!

Posted on 2007-10-18
Medium Priority
Last Modified: 2013-12-07
I'm having a big problem with Firefox and my website. Firefox loses my user's session information when going from normal to SSL mode. This doesn't happen in Internet Explorer. What I've come to find out is this:

My SSL is registered as https://www.mydomain.com.
When someone hits my site at http://mydomain (notice no www.) then goes to a secure area, it moves the user from http://mydomain.com to https://www.mydomain.com. This is when the session is lost. But when I go from http://www.mydomain.com to https://www.mydomain.com, the session is preserved.

My question is how do I handle this? IE was nice enough to fix this. So how do I fix this? I'm using Windows 2003 and IIS 6.0. My server side language is very propietary and probably no one's heard of since it was custom made for us. So I'm hoping I can handle this with IIS, that when anyone hits http://mydomain.com, it goes to http://www.mydomain.com. I'm sure I'm not the only one facing this problem so any help out there would be greatly appreciated.
Question by:bemara57
  • 3
LVL 37

Accepted Solution

meverest earned 2000 total points
ID: 20104982
Probably firefox is following the rules to the letter, while IIS is not.

Take a look at how the session cookie is set.  If the cookie parameters specify an explicit domain, path or security requirement, then firefox cannot be blamed for behaving in the correct manner.

Is your application written in some kind of code that you can access the source?  If so, you should be able to find the relevant cookie setting parts and fix them if you know even a small thing about the language.  If you don't have access to the source, then you have no choice but to go back to whoever wrote it for you.


Author Comment

ID: 20105517
Can someone pls give some coding examples how what is happening here (in PHP, Java, C#, doesn't matter)? I just want to get an idea of the things happening behind the scenes so I know what to look for.
LVL 37

Expert Comment

ID: 20105563
you can use something like fiddler (www.fiddlertool.com) to trace the http headers.  Look for cookie: (from the client) set-cookie: (from the server) in the headers.

I suspect that the set-cookie will include either a 'domain=www.mydomain.com' directive, which means that the browser should only ever submit to [*.]www.domain.com, or 'secure' directive which means that it can only be sent over ssl (https)

here is an old (yet still very valid) reference: http://wp.netscape.com/newsref/std/cookie_spec.html

by the sound of your observations, it seems that IE is ignoring one or both of those directives.

LVL 37

Expert Comment

ID: 20105586
actually, thinking about it a bit more...  it is more likely that the cookie is set by a response from www.domain.com, but the domain is not specified in the set-cookie header.

the difference between browsers is probably interpretation of the default condition (when domain is not specified)

It sounds like firefox is interpreting it as the explicit www.domain.com, yet IE is interpreting it more generally as just domain.com

personally, I'd side with the firefox interpretation unless the RFC specifically says otherwise (which I doubt).

If that is the case, then you will be able to fix this issue by including the explicit domain limits in the set-cookie header, ie 'domain=domain.com'


Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
This Micro Tutorial will demonstrate how nuggets on the Web are formatted by using Chrome Developer Tools. These tools would not only view the site's CSS but it can also modify it and save the CSS to use on your own site.
How to create a custom search shortcut to site-search Experts Exchange using Google in the Firefox browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch your Bookmark Menu: Press 'Ctrl +…
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question