• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 462
  • Last Modified:

Firefox loses session switching to SSL mode!! Pls help!

I'm having a big problem with Firefox and my website. Firefox loses my user's session information when going from normal to SSL mode. This doesn't happen in Internet Explorer. What I've come to find out is this:

My SSL is registered as https://www.mydomain.com.
When someone hits my site at http://mydomain (notice no www.) then goes to a secure area, it moves the user from http://mydomain.com to https://www.mydomain.com. This is when the session is lost. But when I go from http://www.mydomain.com to https://www.mydomain.com, the session is preserved.

My question is how do I handle this? IE was nice enough to fix this. So how do I fix this? I'm using Windows 2003 and IIS 6.0. My server side language is very propietary and probably no one's heard of since it was custom made for us. So I'm hoping I can handle this with IIS, that when anyone hits http://mydomain.com, it goes to http://www.mydomain.com. I'm sure I'm not the only one facing this problem so any help out there would be greatly appreciated.
  • 3
1 Solution
Probably firefox is following the rules to the letter, while IIS is not.

Take a look at how the session cookie is set.  If the cookie parameters specify an explicit domain, path or security requirement, then firefox cannot be blamed for behaving in the correct manner.

Is your application written in some kind of code that you can access the source?  If so, you should be able to find the relevant cookie setting parts and fix them if you know even a small thing about the language.  If you don't have access to the source, then you have no choice but to go back to whoever wrote it for you.

bemara57Author Commented:
Can someone pls give some coding examples how what is happening here (in PHP, Java, C#, doesn't matter)? I just want to get an idea of the things happening behind the scenes so I know what to look for.
you can use something like fiddler (www.fiddlertool.com) to trace the http headers.  Look for cookie: (from the client) set-cookie: (from the server) in the headers.

I suspect that the set-cookie will include either a 'domain=www.mydomain.com' directive, which means that the browser should only ever submit to [*.]www.domain.com, or 'secure' directive which means that it can only be sent over ssl (https)

here is an old (yet still very valid) reference: http://wp.netscape.com/newsref/std/cookie_spec.html

by the sound of your observations, it seems that IE is ignoring one or both of those directives.

actually, thinking about it a bit more...  it is more likely that the cookie is set by a response from www.domain.com, but the domain is not specified in the set-cookie header.

the difference between browsers is probably interpretation of the default condition (when domain is not specified)

It sounds like firefox is interpreting it as the explicit www.domain.com, yet IE is interpreting it more generally as just domain.com

personally, I'd side with the firefox interpretation unless the RFC specifically says otherwise (which I doubt).

If that is the case, then you will be able to fix this issue by including the explicit domain limits in the set-cookie header, ie 'domain=domain.com'

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now