Sessions don't work anymore in IE :(

[Perfidus]

I've been using this after database password checking for years:

session_start();
$_SESSION['user'] = session_id();

Suddenly, IE doesn't seem to admit the generated session cookie anymore and some customers are complaining.

In FF it still works fine, also does in other browser, but IE is reluctant.

To make it work, I need to configure the security levels of the browser to "very low", but this doesn't happen in the past.

I wonder if there's is a more elegant, new, secure way, to handle sessions and restricted areas.

Any tips?

[Perfidus]

I'm doing some tricks to prevent catching, I wonder if is this what's forcing IE to ignore the cookie.

Is it possible? And if it is possible, is there a way to prevent catching without getting in conflicts with cookies??:

<?php
session_start();
if (!session_is_registered("user")) {
header("Location: index.php?error=GTFOOH");
exit();
}
header('Cache-Control: no-cache, no-store, must-revalidate, private');
header("Content-Location: http://lkmhghjhbh.com/some.url.that.doesnt.exist"); 
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");      
header('Expires: Sun, 01 Jul 2005 00:00:00 GMT'); 
header('Pragma: no-cache');

[Perfidus]

I can't believe there's no answer for this.

If the question is too obvious, just tell me or give me some hints about where to look at...

Googling is not giving me too many results.

[discomatt]

Is this a distributed issue or just on your local machine? My build of IE7 has no problem with similar code

[Perfidus]

I'm getting complaints from different machines in different places, mostly on those who are under stronger security settings. Almost everyone working with IE is having problems.

[discomatt]

Works fine on IE6 as well. Could possibly be a cookie issue. Are you forcing users to set session cookies? Is your domain on their white list?

[discomatt]

Also, are you using a combination of $_SESSION superglobal and session_is_registered()? From what I've read this can cause issues.

 

Here's the code I'm using to test

 

<?php

session_start();
header('Cache-Control: no-cache, no-store, must-revalidate, private');
header("Content-Location: http://lkmhghjhbh.com/some.url.that.doesnt.exist"); 
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");      
header('Expires: Sun, 01 Jul 2005 00:00:00 GMT'); 
header('Pragma: no-cache');

if ( !$_GET['set'] ) {

session_register('user', TRUE);
echo '<a href="'. $_SERVER['SCRIPT_NAME'] . '?set=1">Check</a>';

} else {

if (!session_is_registered("user")) {
	header("Location: ". $_SERVER['SCRIPT_NAME']);
	exit();
}

echo 'Session is set';

}

?>

[discomatt]

Also to note, there's a 99% chance of this just being IE not allowing the cookie to be received or not sending it.

 

This is an issue your clients will have to solve, because its very difficult to track a session without a cookie (I personally think passing a session via uri query string to be unacceptable)