Having problems with sessions and security

My site seems to be having a crisis with sessions -

Test PC 1

IE 8 - WA search not working unless Tools / Options / Privacy / Advanced is all switched ON to allow sessions.

Chrome - all working at all times

Firefox - is set to allow all cookies and never works

Test PC 2

IE 8 - WA search not working unless Tools / Options / Privacy / Advanced is all switched ON to allow sessions.

Chrome - never working and all options are set the same as PC 1.

Firefox - is set to allow all cookies and never works

----------------
Bizzare, and I can't get to the bottom of it.

Any thoughts anyone?
Thanks

Based on the mixed results from different browsers using similar settings I'm wondering if you have some security software in place that may be preventing the session cookies from being written. Do you have any tools installed that may be dealing with browser security?

In FireFox you can view cookies that have been set from options > privacy > delete individual cookies. In here you should be able to find the host and take a look for the cookie, there should be a PHPSESSID cookie that has a value. Other than this identifier the other session values should be stored server side.

Thanks Eric.

Well, I have made some progress. The problem seems to be associated with Firefox and how it handles session, and especially serverside includes. I will post the solution here when I find it ...

I've spent 3 days chasing this so far.

David :rolleyes:

What I've discovered on my walkabout around the net about Firefox is that it's quite fussy in the way that it handles sessions, and especially so when handling inlcudes ...

My setup is like this ...

Homepage

• index.php
  
• includes inner1.php
  
• has link to Search page
  
• no session is set

Search page

• index3.php
  
• includes inner303.php
  
• has a form
  
• no session is set

Results page

• index3.php
  
• includes inner70.php
  
• POST vars read into homemade search toolbar at top of inner70.php
  
• uses WA Data Assist Search to return the data in the results window
  
• session is set if not exist (in WA code) and left open

Detail page

• index3.php
  
• includes inner71.php
  
• POST vars read into homemade search toolbar at top of inner71.php
  
• WA Search code duplicated into this page
  
• session remains open

Everything works beautifully in IE / Chrome / Safari, but not in Firefox.

Q1. Where should I open the session? Frontpage? Index3? Inner70?
Q2. Should I close the session and recreate at every press of the Search button? What is best practice?
Q3. Part of the site is behind a member login, so I need to keep the session open for that, don't I?
Q4. Has anyone else experienced any problems with Firefox?

I'd love to post the code or invite someone in, but can't do that publicly, sorry :(

Thanks a squillion for taking the to help me out :-)

David

Oops, one final detail ...

The site (in development) is hosted so is protected at root (only) using htaccess.

On IE, Chrome, Safari, I am only asked once for the password.

In Firefox I am asked twice.

And then my screen smirked at me and said "go figure" and I responded by smashing it with a sledgehammer. Ok, it didn't, and I didn't, but WTH is going on here I don't know ... :eek: :cool:

Unbeliveable ...

Firefox problem .. I wasn't using the full www.domain.com URL only "domain.com" as I habitually do, and Firefox doesn't like that.

latest-firefox-update-changes-how-php-sessions-are-handled/

And this was compounded by the fact that I ionly just discovered that the WA file HelperPHP.php has these lines at the top ...

if(!session_id()){
session_start();
}

Nice of this file to create the session for me! No wonder I didn't feel in control of my sessions :-)

I just wonder why the code created by the WA Data Assist Search Wizard ALSO includes this, which (quite rightly?) led me to believe that was where it was controlled from ...

Doh, 3 days down the drain for a quirky browser and some tim spend digging in code that should be transparent to me. And the lesson is ... employ someone else to do this for me next time LOL

Whacking this in the htaccess file cures the problem with the incomplete URL, and now my site is working in all browsers.

# mod_rewrite in use
Options +FollowSymlinks
RewriteEngine On
RewriteCond %{http_host} ^domain.com [NC]
RewriteRule ^(.*)$ http://www.domain.com/$1 [R=301,L]

Yes, I know you can find this all over the net already, but until now I didn't need to use it and perhaps the same will be true for someone else.

Over and out ;)