[ic] Sessions and secure pages without cookies.
jamie at versado.net
Mon Apr 26 17:25:07 EDT 2004
Jamie Neil wrote:
> Jamie Neil wrote:
>> We've been having intermittent reports of checkout problems in the
>> last few months (since the site started to get busy), but haven't been
>> able to pin it on anything.
>> However today I traced a particular checkout problem through the logs
>> and realised that the session id was changing as the user went from
>> the insecure pages to the secure ones. I thought I'd tested this
>> pretty thoroughly, but obviously not thoroughly enough :(
>> So I did some tests, and this is what I found:
>> 1) If cookies are enabled then everything works fine.
>> 2) If cookies are disabled then everything is ok in the normal part of
>> the site - all the URLs have session ids and the basket works fine.
>> But as soon as you enter a secure page, the session is dropped and all
>> subsequent links have a new session id.
>> 3) If you continue with this new session after the basket has been
>> dropped then the session seems to stick - entering secure pages no
>> longer drops the session id.
>> I've checked this on both our live (4.9.7) and development (5.0)
>> servers; IE6 and Mozilla; Mall No and Yes; FullUrl No and Yes; same
>> problem in all cases.
>> Our URLs are www.sitename.com for both normal and secure pages, and we
>> use Apache rewrites to map / to /cgi-bin/catalog.
>> I hope that the number of people who have cookies disabled is
>> relatively small, but I'm concerned that this is may also be affecting
>> users with cookies enabled who are browsing through a proxy farm.
>> I'm going to have a go at removing the URL rewriting to see if that
>> makes a difference, but after that I'm stumped :(
> Removing the URL rewriting has no effect either.
> However when I set the catalog to WideOpen it works fine. Don't really
> feel comfortable running like that though - makes me feel exposed ;)
1) DomainTail Off and IpHead On
2) HostnameLookups On
Neither solved the problem.
Still can't understand why the session sticks the second time but not
Jamie Neil | <jamie at versado.net> | 0870 7777 454
Versado I.T. Services Ltd. | http://versado.net/ | 0845 450 1254
More information about the interchange-users