Having problems with sessions and security

11/09/2009 7:29 am | #1 David CHnet.com

My site seems to be having a crisis with sessions -

Test PC 1

IE 8 - WA search not working unless Tools / Options / Privacy / Advanced is all switched ON to allow sessions.

Chrome - all working at all times

Firefox - is set to allow all cookies and never works

Test PC 2

IE 8 - WA search not working unless Tools / Options / Privacy / Advanced is all switched ON to allow sessions.

Chrome - never working and all options are set the same as PC 1.

Firefox - is set to allow all cookies and never works

----------------
Bizzare, and I can't get to the bottom of it.

Any thoughts anyone?
Thanks

11/09/2009 5:15 pm | #2 Eric Mittman

Based on the mixed results from different browsers using similar settings I'm wondering if you have some security software in place that may be preventing the session cookies from being written. Do you have any tools installed that may be dealing with browser security?

In FireFox you can view cookies that have been set from options > privacy > delete individual cookies. In here you should be able to find the host and take a look for the cookie, there should be a PHPSESSID cookie that has a value. Other than this identifier the other session values should be stored server side.

11/10/2009 7:09 am | #3 David CHnet.com

More digging

Thanks Eric.

Well, I have made some progress. The problem seems to be associated with Firefox and how it handles session, and especially serverside includes. I will post the solution here when I find it ...

I've spent 3 days chasing this so far.

David :rolleyes:

11/10/2009 1:25 pm | #4 David CHnet.com

Firefox

What I've discovered on my walkabout around the net about Firefox is that it's quite fussy in the way that it handles sessions, and especially so when handling inlcudes ...

My setup is like this ...

Homepage

index.php
includes inner1.php
has link to Search page
no session is set

Search page

index3.php
includes inner303.php
has a form
no session is set

Results page

index3.php
includes inner70.php
POST vars read into homemade search toolbar at top of inner70.php
uses WA Data Assist Search to return the data in the results window
session is set if not exist (in WA code) and left open

Detail page

index3.php
includes inner71.php
POST vars read into homemade search toolbar at top of inner71.php
WA Search code duplicated into this page
session remains open

Everything works beautifully in IE / Chrome / Safari, but not in Firefox.

Q1. Where should I open the session? Frontpage? Index3? Inner70?
Q2. Should I close the session and recreate at every press of the Search button? What is best practice?
Q3. Part of the site is behind a member login, so I need to keep the session open for that, don't I?
Q4. Has anyone else experienced any problems with Firefox?

I'd love to post the code or invite someone in, but can't do that publicly, sorry :(

Thanks a squillion for taking the to help me out :-)

David

11/10/2009 1:33 pm | #5 David CHnet.com

double password request

Oops, one final detail ...

The site (in development) is hosted so is protected at root (only) using htaccess.

On IE, Chrome, Safari, I am only asked once for the password.

In Firefox I am asked twice.

And then my screen smirked at me and said "go figure" and I responded by smashing it with a sledgehammer. Ok, it didn't, and I didn't, but WTH is going on here I don't know ... :eek: :cool:

11/10/2009 3:42 pm | #6 David CHnet.com

Double Doh!

Unbeliveable ...

Firefox problem .. I wasn't using the full www.domain.com URL only "domain.com" as I habitually do, and Firefox doesn't like that.

latest-firefox-update-changes-how-php-sessions-are-handled/

And this was compounded by the fact that I ionly just discovered that the WA file HelperPHP.php has these lines at the top ...

if(!session_id()){
session_start();
}

Nice of this file to create the session for me! No wonder I didn't feel in control of my sessions :-)

I just wonder why the code created by the WA Data Assist Search Wizard ALSO includes this, which (quite rightly?) led me to believe that was where it was controlled from ...

Doh, 3 days down the drain for a quirky browser and some tim spend digging in code that should be transparent to me. And the lesson is ... employ someone else to do this for me next time LOL

11/10/2009 3:58 pm | #7 David CHnet.com

Curing Firefox

Whacking this in the htaccess file cures the problem with the incomplete URL, and now my site is working in all browsers.

# mod_rewrite in use
Options +FollowSymlinks
RewriteEngine On
RewriteCond %{http_host} ^domain.com [NC]
RewriteRule ^(.*)$ http://www.domain.com/$1 [R=301,L]

Yes, I know you can find this all over the net already, but until now I didn't need to use it and perhaps the same will be true for someone else.

Over and out ;)

Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

Having problems with sessions and security

11/09/2009 7:29 am | #1 David CHnet.com