[ic] Sessions and secure pages without cookies.
jamie at versado.net
Mon Apr 26 15:49:34 EDT 2004
We've been having intermittent reports of checkout problems in the last
few months (since the site started to get busy), but haven't been able
to pin it on anything.
However today I traced a particular checkout problem through the logs
and realised that the session id was changing as the user went from the
insecure pages to the secure ones. I thought I'd tested this pretty
thoroughly, but obviously not thoroughly enough :(
So I did some tests, and this is what I found:
1) If cookies are enabled then everything works fine.
2) If cookies are disabled then everything is ok in the normal part of
the site - all the URLs have session ids and the basket works fine. But
as soon as you enter a secure page, the session is dropped and all
subsequent links have a new session id.
3) If you continue with this new session after the basket has been
dropped then the session seems to stick - entering secure pages no
longer drops the session id.
I've checked this on both our live (4.9.7) and development (5.0)
servers; IE6 and Mozilla; Mall No and Yes; FullUrl No and Yes; same
problem in all cases.
Our URLs are www.sitename.com for both normal and secure pages, and we
use Apache rewrites to map / to /cgi-bin/catalog.
I hope that the number of people who have cookies disabled is relatively
small, but I'm concerned that this is may also be affecting users with
cookies enabled who are browsing through a proxy farm.
I'm going to have a go at removing the URL rewriting to see if that
makes a difference, but after that I'm stumped :(
Jamie Neil | <jamie at versado.net> | 0870 7777 454
Versado I.T. Services Ltd. | http://versado.net/ | 0845 450 1254
More information about the interchange-users