[ic] Sessions and secure pages without cookies.
Jamie Neil
jamie at versado.net
Mon Apr 26 16:08:37 EDT 2004
Jamie Neil wrote:
> We've been having intermittent reports of checkout problems in the last
> few months (since the site started to get busy), but haven't been able
> to pin it on anything.
>
> However today I traced a particular checkout problem through the logs
> and realised that the session id was changing as the user went from the
> insecure pages to the secure ones. I thought I'd tested this pretty
> thoroughly, but obviously not thoroughly enough :(
>
> So I did some tests, and this is what I found:
>
> 1) If cookies are enabled then everything works fine.
>
> 2) If cookies are disabled then everything is ok in the normal part of
> the site - all the URLs have session ids and the basket works fine. But
> as soon as you enter a secure page, the session is dropped and all
> subsequent links have a new session id.
>
> 3) If you continue with this new session after the basket has been
> dropped then the session seems to stick - entering secure pages no
> longer drops the session id.
>
> I've checked this on both our live (4.9.7) and development (5.0)
> servers; IE6 and Mozilla; Mall No and Yes; FullUrl No and Yes; same
> problem in all cases.
>
> Our URLs are www.sitename.com for both normal and secure pages, and we
> use Apache rewrites to map / to /cgi-bin/catalog.
>
> I hope that the number of people who have cookies disabled is relatively
> small, but I'm concerned that this is may also be affecting users with
> cookies enabled who are browsing through a proxy farm.
>
> I'm going to have a go at removing the URL rewriting to see if that
> makes a difference, but after that I'm stumped :(
Removing the URL rewriting has no effect either.
However when I set the catalog to WideOpen it works fine. Don't really
feel comfortable running like that though - makes me feel exposed ;)
--
Jamie Neil | <jamie at versado.net> | 0870 7777 454
Versado I.T. Services Ltd. | http://versado.net/ | 0845 450 1254
More information about the interchange-users
mailing list