[ic] Netscape 4.7 and Interchange

Kyle Cook interchange-users@interchange.redhat.com
Thu Aug 9 15:03:00 2001 

At 09:06 AM 8/9/01, you wrote:
>Quoting Scott Fletcher (scott@abcoa.com):
> > Yea, I have found this similar problem with the dissappearance of hte
> > shopping cart when using some pages like checkout.   What so embarrasing is
> > that one of the employee at my company gave a demostration of the
> > Interchange software to the customer about the idea of using it for 
> shopping
> > cart.  We all noticed the disappearance of hte shopping cart and the wrong
> > webpage.  Since then, we haven't heard from the customer.  So, we're not
> > sure what is up with that.
>
>The cases where this happens are well documented, and almost always
>occur with a differing secure/non-secure domain. If you can document
>any cases where this happens with secure and non-secure hosts in the
>same domain (even the same .domain.com when the proper CookieDomain
>is set) then we will energetically fix them on a high-priority basis.
>
>Interchange doesn't support differing secure and non-secure domains.
>It is possible to make it work to a fair degree, the means to which
>do so I post on a monthly basis. But it is not supported, for it is
>too difficult to make work reliably in all situations.
>
>If someone can point me to another program which does this *without
>totally compromising user session security* then I would be happy to
>learn and implement changes.
>
>--
>Red Hat, Inc., 3005 Nichols Rd., Hamilton, OH  45013
>phone +1.513.523.7621      <mheins@redhat.com>

I don't know of a way to cover this situation in IC, but maybe
this can be handled via an outside cgi script:

basically call the cgi from within ic page(s) (before they ever get to
go to secure server) like this:

<img src="https://www.securedomain.com/cgi-bin/cookie.pl?id=[data session id]">

and have the script simply place an "IC" cookie for this secure domain
using the passed id value as the session id, then simply return a 1 pixel
clear spacer.gif

I know that this method can set a cookie for the secure domain, so
theoretically it *SHOULD* then allow the secure pages to recognize
the user when they enter.

The trick is you MUST hit this image tag at least once in navigating
the non-secure pages BEFORE hitting a secure page...

Hope someone can use this idea and let the list know if it works.


Kyle Cook