[ic] Sessions and secure pages without cookies.

Jamie Neil jamie at versado.net
Mon Apr 26 17:25:07 EDT 2004 

Jamie Neil wrote:

> Jamie Neil wrote:
> 
>> We've been having intermittent reports of checkout problems in the 
>> last few months (since the site started to get busy), but haven't been 
>> able to pin it on anything.
>>
>> However today I traced a particular checkout problem through the logs 
>> and realised that the session id was changing as the user went from 
>> the insecure pages to the secure ones. I thought I'd tested this 
>> pretty thoroughly, but obviously not thoroughly enough :(
>>
>> So I did some tests, and this is what I found:
>>
>> 1) If cookies are enabled then everything works fine.
>>
>> 2) If cookies are disabled then everything is ok in the normal part of 
>> the site - all the URLs have session ids and the basket works fine. 
>> But as soon as you enter a secure page, the session is dropped and all 
>> subsequent links have a new session id.
>>
>> 3) If you continue with this new session after the basket has been 
>> dropped then the session seems to stick - entering secure pages no 
>> longer drops the session id.
>>
>> I've checked this on both our live (4.9.7) and development (5.0) 
>> servers; IE6 and Mozilla; Mall No and Yes; FullUrl No and Yes; same 
>> problem in all cases.
>>
>> Our URLs are www.sitename.com for both normal and secure pages, and we 
>> use Apache rewrites to map / to /cgi-bin/catalog.
>>
>> I hope that the number of people who have cookies disabled is 
>> relatively small, but I'm concerned that this is may also be affecting 
>> users with cookies enabled who are browsing through a proxy farm.
>>
>> I'm going to have a go at removing the URL rewriting to see if that 
>> makes a difference, but after that I'm stumped :(
> 
> 
> Removing the URL rewriting has no effect either.
> 
> However when I set the catalog to WideOpen it works fine. Don't really 
> feel comfortable running like that though - makes me feel exposed ;)
> 

Also tried:

1) DomainTail Off and IpHead On

2) HostnameLookups On

Neither solved the problem.

Still can't understand why the session sticks the second time but not 
the first.

-- 
Jamie Neil | <jamie at versado.net> | 0870 7777 454
Versado I.T. Services Ltd. | http://versado.net/ | 0845 450 1254

More information about the interchange-users mailing list