awalkinthepark
asked on
IE 9 losing session cookie
Using IE 9
User logs into site #1.
Site #1 redirects user to site#2 using a
URL with query parameters ( ASP) that are all correct.
Site #2 executes login script, it's all good.
I can see the login happening correctly in profiler.
Site #2 then rejects user because of no Session variable containing the user_id.
Yet, directly logging in to site #2 with IE 9 works with no problem for the user.
Same steps above using Chrome, logged into site #1, then get successfully redirected to site #2.
Facts:
IE9 direct login to site #2 works.
Chrome redirect from site # to site #2 works
Only IE9 with redirect from #1 to #2 fails.
Some issue with IE session sharing?
Something about a redirect not accepting session cookie?
Anyone have an idea why IE 9 with redirect fails?
Thanks
User logs into site #1.
Site #1 redirects user to site#2 using a
URL with query parameters ( ASP) that are all correct.
Site #2 executes login script, it's all good.
I can see the login happening correctly in profiler.
Site #2 then rejects user because of no Session variable containing the user_id.
Yet, directly logging in to site #2 with IE 9 works with no problem for the user.
Same steps above using Chrome, logged into site #1, then get successfully redirected to site #2.
Facts:
IE9 direct login to site #2 works.
Chrome redirect from site # to site #2 works
Only IE9 with redirect from #1 to #2 fails.
Some issue with IE session sharing?
Something about a redirect not accepting session cookie?
Anyone have an idea why IE 9 with redirect fails?
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If the domain names of the sites are different, then they will have different session cookies. It is a pretty strong security rule in all browsers that one domain can not see the cookies of another domain. Also, a session cookie is active as long as any window of the browser is still open. Each browser has only one 'cookie jar' that is shared by all windows.
Things like 'in private' browsing are supposed to 'sandbox' the different sites from each other. http://windows.microsoft.com/en-US/windows-vista/What-is-InPrivate-Browsing
Things like 'in private' browsing are supposed to 'sandbox' the different sites from each other. http://windows.microsoft.com/en-US/windows-vista/What-is-InPrivate-Browsing
ASKER
Yes, that's understood.
Still, the problem is that the new browser connects to site#2, should have a session cookie, but when it's done as a redirect, it fails. Done directly, doesn't fail.
Other browser work when done as a redirect.
Some IE setting other than "allow session cookies" ?
Still, the problem is that the new browser connects to site#2, should have a session cookie, but when it's done as a redirect, it fails. Done directly, doesn't fail.
Other browser work when done as a redirect.
Some IE setting other than "allow session cookies" ?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Here's what I think you're saying...
You visit site#1 www.site1.com
Site 1 returns a 302 status code, redirecting to www.site2.com?loginID=1234
The browser does as it's told, and makes a request to www.site2.com?loginID=1234
In Chrome, this will automatically log user 1234 in (or at least recognise them)
In IE9, you see an error message instead
Is that correct ?
Thinking about this, I guess this might qualify as a third-party cookie.
Open Advanced Privacy Settings (Internet Options -> Privacy -> Advanced) and see if that's responsible.
You visit site#1 www.site1.com
Site 1 returns a 302 status code, redirecting to www.site2.com?loginID=1234
The browser does as it's told, and makes a request to www.site2.com?loginID=1234
In Chrome, this will automatically log user 1234 in (or at least recognise them)
In IE9, you see an error message instead
Is that correct ?
Thinking about this, I guess this might qualify as a third-party cookie.
Open Advanced Privacy Settings (Internet Options -> Privacy -> Advanced) and see if that's responsible.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
At least you got it working, that's what counts.
If having "Third party cookies = blocked" ticked in
Internet Options -> Privacy -> Advanced
causes the problem, and your system is used by a range of users, it might be wise to rework the code a little bit (since some users will have it set this way)
Internet Options -> Privacy -> Advanced
causes the problem, and your system is used by a range of users, it might be wise to rework the code a little bit (since some users will have it set this way)
ASKER
It worked but true cause not identified.
ASKER
Cannot set the cookie from site #1. That's someone else's web server.
We have many users doing this exact thing with out issue.
IEX -> site#1 to site#2 and so I believe it's a setting somewhere on this users machine.
Tomorrow I can try the looking at the logs. Will have to get the users IP first.
This implies that session merging can be disabled:
"One of the best solution for your case is Registry fix for the IE.
Add the following KEY if it is not there, set 0 to disable frame merging.
HKCU\Software\Microsoft\In
DWORD: FrameMerging
Value: 0"
Having user look for this in his registry tomorrow.
The parent browser pops up a new browser that is logging in.
So the new browser "should" have be starting a new session and have the session cookie.
This "user timing out" issue has always resolved with enabling session cookies in the past.
Which of course we have tried with this user.
The fact that directly logging in works rules out the enable session cookies issue.
P