views:

1169

answers:

9

Hi guys,

We have a local intranet site that everyone on the network uses, maybe 5% (or even less) of the users that use the site have problems where the session isn't stored properly.

I've tried defining a path manually (C:/Coookieess) and checking to see what's going on, and whereas most users sessions are created and remain just fine, on the effected machines it seems that it either forgets the cookies are there, or it can't read them, and then goes on to create a new cookie almost every time you refresh a page.

Things to note are...

  • it only effects <5% of users

  • it only happens when using IE

  • it happens to those users regardless of what machine theyre using

  • it only happens with Windows XP or Vista - Windows 2000 works fine!

I've tried messing with the security settings in IE too, changing the cookie security to allow all cookies/sessions, but no luck on that either unfortunately :(

Any help would be amazing, really stuck on this.

Thanks!

A: 

A new cookie can get created when the site doesn't perceive one to be present or passed along from the previous request...

Is there anything about the site, your network or your clients that is causing the cookie hash to not be propagated between requests?

Use an HTTP analyzer (fiddler, nettool) to find out.

Omega
Thanks Omega! I'll look at using nettool
A: 

Just tried nettool, not really sure how to use it to track stuff using it? Fiddler works, but shows loads of HTTP requests, not sure how to display cookies? :(

Thanks

Nick
Hey, nettool has a built-in mini-proxy you can use. When you start it, it has a "TCP Tunnel" tab open for you.The premise behind this is that you will access your local computer on a specific port, and that port will be forwarded to a host of your choosing.So, for example, if you wanted to watch traffic going to google.com:Port: 80Tunnel to: google.comPort: 80What this does is set up a sniffer server on port 80 of your computer. Once you start the proxy, when you access "http://localhost:80", it will display the google site, BUT, you'll also have some feedback in nettool.
Omega
Ah that's ace, thanks Omega! I'll give that a try tomorrow :)
A: 

Not really got enough info to go on, but one thing that might be happening is that if you're storing the session in a cookie, you might have ended up with a cookie too large for IE to handle.

The definition of "Too Large" varies from browser to browser and OS to OS, though.

Aquarion
That's a good suggestion thanks, but the cookies in question are just 1kb or so, and work on most machines... tested it a lot again today, and yeah the exact same computer, the exact same version of IE6/IE7 will have different results for some users :(
+2  A: 

Just a random idea, and probably not relevant, but worth mentioning just in case - are the date and times set correctly on the computers you are having problems with?

Meep3D
Another good suggestion thanks, and yup unfortunately the time/dates match perfectly :(
A: 

any chance your internal domain has an underscore in it? i.e. http://dev_server.example.net

Usage of underscores as DNS characters is kind of hazy. FF/Safari will work just fine, but IE will fail to set a cookie if it comes from a domain with an underscore

Most public registrars will prevent you from using bad characters, but internally there's nothing stopping you.

rooskie
Hey, sorry for the stupidly late reply, but nope, no underscore unfortunately - very good shout though, and it does have a dash if that's relevant
A: 

We came across an issue a fair while ago that would appear to be the same as this - sporadic appearance, only affecting older IE users.

At the time any resources or commentary was quite hazy, so we were never fully able to diagnose the issue - the closest information we found was to do with IE not playing nice with g-zipped data.

Anyway - solution we found that fixed our issue -

  1. Manually set a content-type header through PHP, while removing the HTML declaration

header ("content-type: text/html; charset=utf-8");

  1. Set your site to send a P3P (compact security policy) header.

    See http://www.sitepoint.com/article/p3p-cookies-ie6/2/

Alex Osborn
+1  A: 

One other thing you might want to check: are they using a proxy of any sort?

One of the PHP projects I worked on seemed to have troubles with sessions when the app was run on the intranet. Turned out that all of the IE installations had been set up to run through the corporate proxy which seemed to screw up every now and again...

Narcissus
A: 

Could it be that 5% of the users have user information that, when retrieved from the cookie, disrupts the proper reading/decoding/parsing of the cookie server-side?

Donnie C
+2  A: 

I had the exact same issue and found that adding the P3P header before starting the session corrected it.

header('P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"');

session_start();

Charles
This did the trick for me, I think it has something to do with the compacy privacy policy framework.
barfoon