Firefox loses session switching to SSL mode!! Pls help!

Posted on 2007-10-18
Last Modified: 2013-12-07
I'm having a big problem with Firefox and my website. Firefox loses my user's session information when going from normal to SSL mode. This doesn't happen in Internet Explorer. What I've come to find out is this:

My SSL is registered as
When someone hits my site at http://mydomain (notice no www.) then goes to a secure area, it moves the user from to This is when the session is lost. But when I go from to, the session is preserved.

My question is how do I handle this? IE was nice enough to fix this. So how do I fix this? I'm using Windows 2003 and IIS 6.0. My server side language is very propietary and probably no one's heard of since it was custom made for us. So I'm hoping I can handle this with IIS, that when anyone hits, it goes to I'm sure I'm not the only one facing this problem so any help out there would be greatly appreciated.
Question by:bemara57
    LVL 37

    Accepted Solution

    Probably firefox is following the rules to the letter, while IIS is not.

    Take a look at how the session cookie is set.  If the cookie parameters specify an explicit domain, path or security requirement, then firefox cannot be blamed for behaving in the correct manner.

    Is your application written in some kind of code that you can access the source?  If so, you should be able to find the relevant cookie setting parts and fix them if you know even a small thing about the language.  If you don't have access to the source, then you have no choice but to go back to whoever wrote it for you.


    Author Comment

    Can someone pls give some coding examples how what is happening here (in PHP, Java, C#, doesn't matter)? I just want to get an idea of the things happening behind the scenes so I know what to look for.
    LVL 37

    Expert Comment

    you can use something like fiddler ( to trace the http headers.  Look for cookie: (from the client) set-cookie: (from the server) in the headers.

    I suspect that the set-cookie will include either a '' directive, which means that the browser should only ever submit to [*.], or 'secure' directive which means that it can only be sent over ssl (https)

    here is an old (yet still very valid) reference:

    by the sound of your observations, it seems that IE is ignoring one or both of those directives.

    LVL 37

    Expert Comment

    actually, thinking about it a bit more...  it is more likely that the cookie is set by a response from, but the domain is not specified in the set-cookie header.

    the difference between browsers is probably interpretation of the default condition (when domain is not specified)

    It sounds like firefox is interpreting it as the explicit, yet IE is interpreting it more generally as just

    personally, I'd side with the firefox interpretation unless the RFC specifically says otherwise (which I doubt).

    If that is the case, then you will be able to fix this issue by including the explicit domain limits in the set-cookie header, ie ''


    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Join & Write a Comment

    Suggested Solutions

    Now-a-days, indirectly, postal services have been replaced by email services. Yes, whenever we hear the word "email" a lot of people only think of gmail. Some people still think that email and gmail are one and the same thing :-). Let's see some …
    Prologue It is often required to host multiple websites on a single instance of IIS, mostly in development environments instead of on production servers. I am sure it is not much a preferred solution on production servers but this is at least a pos…
    Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.
    How to create a custom search shortcut to site-search Experts Exchange using Google in the Firefox browser. This eliminates the need to type out whenever you want to search the site. Launch your Bookmark Menu: Press 'Ctrl +…

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now