tags:

views:

208

answers:

5
+1  Q: 

Why would cookies be vanishing in IE6/8, and what can I do about it?

I have a login setup on a site that stores login information in PHP's $_SESSION, and additionally sets a two-week cookie with login information if a checkbox is checked. The user is considered logged in if valid login information is either submitted by POST or either cookie is true.

The behavior on FF3/Chrome is as intended, at least with the "Remember me" checkbox checked: log in anywhere and everywhere on the site you are treated as being logged in.

However, someone working with IE6 said that she logged on one place, clicked around on links to other sections of the site, and was asked to log in again. I ran into some trouble with my (Multiple IE) IE6, but I reproduced similar behavior on IE8, including setting Advanced Privacy Settings->Always allow session cookies, and otherwise set cookie permissions to be as tolerant as I could. The behavior was identical: log in one place in a way that should set both _SESSION and the two-week cookie, click on links to another pages, and the page presents you with a login screen because it doesn't recognize you as logged in. PHP is 5.2.8 on a Gentoo server.

Any suggestions or resources to getting recognized cookies?

--

[Added after checking on traffic with Fiddler:]

Thank you; I have downloaded Fiddler 2.

Fiddler is reporting Set-Cookie: [name]=deleted... on the logouts in question. I'm presently puzzled as to why. The included file that checks and displays a login screen only has one area where it can delete the relevant cookies, inside a conditional if $_GET['logout'] is set. I didn't see that happening, and when I put an error_log() statement inside the conditional before the statements to delete cookies, no additional messages appear to be being logged.

+3  A: 

Couple of suggestions

  • Try using Fiddler or similar to examine the HTTP requests and responses to see the cookies being sent and transmitted. This provide more insight into what is going wrong
  • Try having your app output a P3P header, e.g. header('P3P: CP="CAO PSA OUR"');
Paul Dixon  2009-06-29 20:14:36
esp. look what has changed between "it's working" and "you're not logged in". What cookies did the client receive in the last response and what cookies is it sending. Fiddler is an excellent tool for that.
VolkerK  2009-06-29 20:25:03
I'd welcome any comments on what I've found with Fiddler ("Set-Cookie: login=deleted...") at places I can't find anything like cookie expiration in the PHP.
JonathanHayward  2009-06-30 20:55:55
+1  A: 

You'll need to be more specific. Find out exactly how you can replicate this behaviour on both browsers, and you've found your bug. For instance, there might be one or two pages where you're failing to call session_start().

It's important to remember that, if your particular $_SESSION variable is not being seen, and causing a redirect to your login, it's most probably part of your system that is broken.

karim79  2009-06-29 20:18:00
+2  A: 

One thing that's kinda subtle that may jump out and bite you is that IE doesn't allow domain names with underscores (ie: developer_1_test.example.com) while other browsers let you get away with this. You're not v.likely to do this in production but it's an easy oversight to make in a development environment where you're setting up a bunch of vhosts for different developers/code branches/etc.

Sean McSomething  2009-06-29 20:54:43
+1  A: 

The first thing I check when this happens is that the domain parameter for the setcookie() function is set properly.

I've seen instances where the cookie domain is set to 'example.com' but the site is being accessed via 'www.example.com'.

For example if you logged into the page at example.com, then clicked a link that took you to a page on www.example.com, you would no longer be logged in.

The workaround is to either make sure all your internal linking is consistent or that you set your cookie with '.example.com' which will enable the cookie for all subdomains.

cOle2  2009-06-29 21:07:45
+1  A: 

What I eventually found was as follows: Firefox and IE were behaving differently because they were treating caching differently when a missing document was within the 14 day Expires: headers that had been set.

Firefox was apparently checking once for missing data, and then not requesting it again.

IE, on the other hand, kept on checking for an item a stylesheet gave the wrong path for, got 404 pages, and the custom 404 page did a boilerplate invitation to log in that triggered the user being logged out (perhaps not the best boilerplate). I guess the stylesheet was cached, but IE kept on asking for items that were missing.

So it was caching differences plus indirect inclusion plus 404 page behavior.

JonathanHayward  2009-07-02 21:36:20

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases