Recently, I ran into a problem with an image gallery web application I am writing in PHP. Throughout development, which was done on my Windows laptop using XAMPP, everything worked perfectly fine, both on Firefox as well as Internet Explorer.
As soon as I deployed my application on my Linux server, IE suddenly stopped accepting my session cookies. The weird thing was that Firefox continued to work perfectly fine.
Symptoms
My application makes multiple AJAX requests to render each page. Usually, a single session would get created and each subsequent request would reuse that session. Instead, each request was creating a new session. My application didn’t work at all since session variables were no longer accessible. On the server side, the PHP session directory was getting flooded with session files.
I didn’t see any cookies for my application in IE’s cache directory. For every request that IE was making, PHP was creating a new session and IE was rejecting the session cookie returned. Hence, there was no session cookie to send back to the server for the next request and PHP was assigning a new session for each request.
Considering everything worked fine on Firefox but not on IE, one would think it was some bug in my application. But it worked fine in IE when running on the Windows laptop. So there was probably nothing wrong with my application.
Possible Solutions
Google turned up a couple relevant results after a lot of searching. Here’s what I found:-
P3P issue
As per this website, IE 6 had a new feature that would reject sessions in certain circumstances unless a specific header was sent clarifying the intentions of the web appliction. This seemed probable so I gave it a try.
I added the following to the top of my application so that every call would return this HTTP header:-
header('P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"');
It didn’t work so it was something else.
Session IDs transported by URL
This website claimed that the latest IE update increased the security levels and that applications had no choice but to hard code the session IDs in the URLs. This can be done by enabling the following option in php.ini:-
session.use_trans_sid = 1
Of course, this meant that every URL needed to have the session ID added to it. It didn’t feel like the right option since Microsoft wouldn’t break web applications so badly. Considering how many URLs each application has and how many applications are out there, it would be prohibitive to have to change them all to include a session ID.
Timezone issue
A third website suggested that IE was calculating session cookie timeouts incorrectly such that they seemed to expire in the past. As a result, these already expired cookies were rejected immediately. For example, if the server was in Hawaii and the client in Australia and the server requested a session timeout of one hour, the timeout would have already occurred as far as the client in Australia was concerned.
Firefox didn’t have this issue since it converts both the server as well as the client time to UTC and then calculates the timeout. As interesting as this was, this didn’t seem as the problem since both my laptop client as well as my server were in the same timezone.
Final Solution
The timezone issue did give me a hint to check the time on my client and server. My client is a Windows laptop which had the correct time and timezone thanks to being synchronized with the NTP protocol. My server on the other hand was out of sync.
The timezone was correct, but the UTC time was set to my local time instead. As a result, the server was actually six hours in the past as far as the client was concerned. A timeout of one hour would have expired in the past for an IE instance running on my client. No wonder IE was rejecting my sessions.
I ran ntpdate to fix my time and then reset my timezone using tzselect.
# ntpdate pool.ntp.org
# tzselect
I then refreshed IE which immediately started accepting the sessions. All aspects of my application started working correctly. So much for so little.
Moral of the story, use NTP to ensure that your machines have their time set correctly.
Filed under: Tips
Session cookies rejected by Internet Explorer…
If anyone knows the solution to this, please post a comment! Ever sense I bought my laptop Internet Explorer has been showing images really strangly. The images appear to be pixelized and blurry. Even the picture in this article shows upl blurry on my …
I was just researching a similar issue I had locally on my laptop, running apache and php. Every request was generating a new session file, but only in IE and not in FireFox.
I traced the problem back to the URL used to access the site. As I develop locally I’m using non-existent URL schemes and I enter them in my hosts file manually.
test1.loc
test2.loc
test_3.loc
When using underscores, IE rejects the cookie… Just thought I’d complete your list.
Gr,
Ramon
Ramon
I had a similar problem but only when the underscores was on the server name. It drove me crazy for weeks >-(.
Fernando
I had the exact problem.
For anyone who has tried everything, one last thing that I had as an issue: suExec. Right when I disabled suExec sessions with headers on all browsers started working successfully.
Hope this saves some people a few hours of studious research.
Tyler
Many thanks Ramon, I had exactly the same issue… sessions working fine in Firefox but not at all in IE.
I had underscores in my local development domains. As soon as I changed them to hyphens everything started working fine in IE!
One thing to note though… I’m sure IE used to work ok with underscores in the domain, I have only had this issue since I installed a Windows update about a week ago (10 Nov 07) that this problem has arrisen.
Thanks again.
[...] short, and well documented on the intarwebs, is that IE6 follows the RFC for cookie expirations, and doesn’t convert them into UTC time. [...]
Ramon de la Fuente you have solved my problems. Just out of curiosity, how did you find this? I have been searching the web for 2 weeks and re-writing all my scripts. Going through my apache and PHP configs and error logs to attempt to find something that would give me a clue to the problem. Obviously, nothing ever turned up until I stumbled upon this gold mine of PHP session troubleshooting tips. Everyone, thank you and a special thank you to Ramon de la Fuente.
I was having a similar problem… It’s a shard server, so we couldn’t change the time on it, but I found calling session_cache_expire(1440) before calling session_start() fixed the problem. (1440 is the number of minutes in a day.)
Hmm, bit of a correction… That fixed the problem in IE 7. It looks like IE 6 still sucks… er, succeeds in not sending back the proper session data.
I have a similar problem, only Im including a php file inside an SHTML document. Works great in FF, IE7. Even woirks in IE6 when using a raw PHP file, but not when its embedded as an SSI. Ive tried most of the above plus several other things with no success, so if anyone has any other things to try, please share!
Thanks, saved me hours of debugging.
ty dude, the header information worked to me, i was spend several hours tryng to make the IE acept the cookies, and nothing work!
=)
ty
Thanks thanks thanks for the underscore tip, I have spent 1 week trying to find out why IE was not using cookies in my website, which happened to have an underscore. It just confirms the level of sophistication IE has.
I have just solved my cookie issue with IE7 and in my case, it turned out to be due to the presence of the single quote charactere in the cookie value.
I hope tha this will help.
Cheer
We had the exact same problem!! The subdomain on the web server had an underscore. Our tempted solution was not to use JSP sessions (and hence, cookies) altogether, but the change would have been very difficult! After three days of searching, I stept over this post and solved it. Very helpful indeed!!
I’m quite new in this PHP and sessions. Could you tell me what do you mean with thta “underscore” thing? Can you give example?
Thank you very much!
T.K.,
The “underscore thing” refers to using an underscore character in the domain name, such as “www.this_thing.com”
I have a win2k server running A2.2 Mysql5 PHP 5.2 with DNS as a local development system. I found the reason IE wasnt taking the cookie in its orifice was because of the underscore in my domain name and on the DNS. Firefox doesnt mind and has no issue.
The neat part was I also found an error when i went to IE options and tried to enter (example test_local.com). It gave me an error “This is not a valid IDN Address” or some crap.
Anyway big ups on you ive been trying to figure it out for the last damn 8 hours among trying to set up the new PHP 5.2 Session and Cookie code!
It looks like this can be a problem with the way IE handles “_”. We had the same problem with this on a development server “dev_version.1.1.domain”.
Dropping the “_” ( underscore ) seems to work.
Hello all, i have this problem and till now its still persistent. i have tried all the options stated above but still IE and gchrome wont accept my login but FF does. i am using a lease server in usa, which means i mite not b able to control these features. any help will be appreciated.
yeah pls also talking about the underscore, the initial page that sets d cookie doesnt have underscore but the page that is redirected to has an underscore, in the format “www.mydomain.com/_members/”, does this mean a thing?
I don’t think IE likes _ period. Better to get rid of it.
I experienced a similar issue recently with the default Session cookie.
I was working with Blog Engine.NET, which does not use SessionState by default. I made some alterations and uploaded to a site for testing, and things were working. SessionState was only enabled for specific pages at this point.
I then updated the web.config to have the entire site use SessionState, and then the cookies wouldn’t work at all with IE7, but they worked perfectly with Firefox.
My fix was to just delete all temp files and cookies in IE7, and then it started working again.
BTW, my issue above was specific to ASP.NET, but the fix may help with any other similar development issues.