Genotrance

Icon

Random thoughts, ideas and experiences

Session cookies rejected by Internet Explorer

Recently, I ran into a problem with an image gallery web application I am writing in PHP. Throughout development, which was done on my Windows laptop using XAMPP, everything worked perfectly fine, both on Firefox as well as Internet Explorer.

As soon as I deployed my application on my Linux server, IE suddenly stopped accepting my session cookies. The weird thing was that Firefox continued to work perfectly fine.

Symptoms

My application makes multiple AJAX requests to render each page. Usually, a single session would get created and each subsequent request would reuse that session. Instead, each request was creating a new session. My application didn’t work at all since session variables were no longer accessible. On the server side, the PHP session directory was getting flooded with session files.

I didn’t see any cookies for my application in IE’s cache directory. For every request that IE was making, PHP was creating a new session and IE was rejecting the session cookie returned. Hence, there was no session cookie to send back to the server for the next request and PHP was assigning a new session for each request.

Considering everything worked fine on Firefox but not on IE, one would think it was some bug in my application. But it worked fine in IE when running on the Windows laptop. So there was probably nothing wrong with my application.

Possible Solutions

Google turned up a couple relevant results after a lot of searching. Here’s what I found:-

P3P issue

As per this website, IE 6 had a new feature that would reject sessions in certain circumstances unless a specific header was sent clarifying the intentions of the web appliction. This seemed probable so I gave it a try.

I added the following to the top of my application so that every call would return this HTTP header:-

header('P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"');

It didn’t work so it was something else.

Session IDs transported by URL

This website claimed that the latest IE update increased the security levels and that applications had no choice but to hard code the session IDs in the URLs. This can be done by enabling the following option in php.ini:-

session.use_trans_sid = 1

Of course, this meant that every URL needed to have the session ID added to it. It didn’t feel like the right option since Microsoft wouldn’t break web applications so badly. Considering how many URLs each application has and how many applications are out there, it would be prohibitive to have to change them all to include a session ID.

Timezone issue

A third website suggested that IE was calculating session cookie timeouts incorrectly such that they seemed to expire in the past. As a result, these already expired cookies were rejected immediately. For example, if the server was in Hawaii and the client in Australia and the server requested a session timeout of one hour, the timeout would have already occurred as far as the client in Australia was concerned.

Firefox didn’t have this issue since it converts both the server as well as the client time to UTC and then calculates the timeout. As interesting as this was, this didn’t seem as the problem since both my laptop client as well as my server were in the same timezone.

Final Solution

The timezone issue did give me a hint to check the time on my client and server. My client is a Windows laptop which had the correct time and timezone thanks to being synchronized with the NTP protocol. My server on the other hand was out of sync.

The timezone was correct, but the UTC time was set to my local time instead. As a result, the server was actually six hours in the past as far as the client was concerned. A timeout of one hour would have expired in the past for an IE instance running on my client. No wonder IE was rejecting my sessions.

I ran ntpdate to fix my time and then reset my timezone using tzselect.

# ntpdate pool.ntp.org
# tzselect

I then refreshed IE which immediately started accepting the sessions. All aspects of my application started working correctly. So much for so little.

Moral of the story, use NTP to ensure that your machines have their time set correctly.

About these ads

Filed under: Tips

67 Responses

  1. Session cookies rejected by Internet Explorer…

    If anyone knows the solution to this, please post a comment! Ever sense I bought my laptop Internet Explorer has been showing images really strangly. The images appear to be pixelized and blurry. Even the picture in this article shows upl blurry on my …

  2. I was just researching a similar issue I had locally on my laptop, running apache and php. Every request was generating a new session file, but only in IE and not in FireFox.

    I traced the problem back to the URL used to access the site. As I develop locally I’m using non-existent URL schemes and I enter them in my hosts file manually.
    test1.loc
    test2.loc
    test_3.loc

    When using underscores, IE rejects the cookie… Just thought I’d complete your list.

    Gr,

    Ramon

  3. Fernando Margueirat says:

    Ramon

    I had a similar problem but only when the underscores was on the server name. It drove me crazy for weeks >-(.

    Fernando

  4. Tyler says:

    I had the exact problem.

    For anyone who has tried everything, one last thing that I had as an issue: suExec. Right when I disabled suExec sessions with headers on all browsers started working successfully.

    Hope this saves some people a few hours of studious research.

    Tyler

  5. Rob says:

    Many thanks Ramon, I had exactly the same issue… sessions working fine in Firefox but not at all in IE.

    I had underscores in my local development domains. As soon as I changed them to hyphens everything started working fine in IE! :-)

    One thing to note though… I’m sure IE used to work ok with underscores in the domain, I have only had this issue since I installed a Windows update about a week ago (10 Nov 07) that this problem has arrisen.

    Thanks again.

  6. [...] short, and well documented on the intarwebs, is that IE6 follows the RFC for cookie expirations, and doesn’t convert them into UTC time. [...]

  7. Mike says:

    Ramon de la Fuente you have solved my problems. Just out of curiosity, how did you find this? I have been searching the web for 2 weeks and re-writing all my scripts. Going through my apache and PHP configs and error logs to attempt to find something that would give me a clue to the problem. Obviously, nothing ever turned up until I stumbled upon this gold mine of PHP session troubleshooting tips. Everyone, thank you and a special thank you to Ramon de la Fuente.

  8. Garrett Albright says:

    I was having a similar problem… It’s a shard server, so we couldn’t change the time on it, but I found calling session_cache_expire(1440) before calling session_start() fixed the problem. (1440 is the number of minutes in a day.)

  9. Garrett Albright says:

    Hmm, bit of a correction… That fixed the problem in IE 7. It looks like IE 6 still sucks… er, succeeds in not sending back the proper session data.

  10. Dave says:

    I have a similar problem, only Im including a php file inside an SHTML document. Works great in FF, IE7. Even woirks in IE6 when using a raw PHP file, but not when its embedded as an SSI. Ive tried most of the above plus several other things with no success, so if anyone has any other things to try, please share!

  11. Hendrik says:

    Thanks, saved me hours of debugging.

  12. Renan says:

    ty dude, the header information worked to me, i was spend several hours tryng to make the IE acept the cookies, and nothing work!
    =)
    ty

  13. Another angry developer says:

    Thanks thanks thanks for the underscore tip, I have spent 1 week trying to find out why IE was not using cookies in my website, which happened to have an underscore. It just confirms the level of sophistication IE has.

  14. I have just solved my cookie issue with IE7 and in my case, it turned out to be due to the presence of the single quote charactere in the cookie value.

    I hope tha this will help.

    Cheer

  15. Eduardo Cavero says:

    We had the exact same problem!! The subdomain on the web server had an underscore. Our tempted solution was not to use JSP sessions (and hence, cookies) altogether, but the change would have been very difficult! After three days of searching, I stept over this post and solved it. Very helpful indeed!!

  16. T. Koljonen says:

    I’m quite new in this PHP and sessions. Could you tell me what do you mean with thta “underscore” thing? Can you give example?

    Thank you very much!

  17. Andre Hinds says:

    T.K.,

    The “underscore thing” refers to using an underscore character in the domain name, such as “www.this_thing.com”

  18. Orange Mammoth says:

    I have a win2k server running A2.2 Mysql5 PHP 5.2 with DNS as a local development system. I found the reason IE wasnt taking the cookie in its orifice was because of the underscore in my domain name and on the DNS. Firefox doesnt mind and has no issue.

    The neat part was I also found an error when i went to IE options and tried to enter (example test_local.com). It gave me an error “This is not a valid IDN Address” or some crap.

    Anyway big ups on you ive been trying to figure it out for the last damn 8 hours among trying to set up the new PHP 5.2 Session and Cookie code!

  19. Ephdisc says:

    It looks like this can be a problem with the way IE handles “_”. We had the same problem with this on a development server “dev_version.1.1.domain”.

    Dropping the “_” ( underscore ) seems to work.

  20. Saint Tosin says:

    Hello all, i have this problem and till now its still persistent. i have tried all the options stated above but still IE and gchrome wont accept my login but FF does. i am using a lease server in usa, which means i mite not b able to control these features. any help will be appreciated.

  21. Saint Tosin says:

    yeah pls also talking about the underscore, the initial page that sets d cookie doesnt have underscore but the page that is redirected to has an underscore, in the format “www.mydomain.com/_members/”, does this mean a thing?

  22. ma says:

    I experienced a similar issue recently with the default Session cookie.

    I was working with Blog Engine.NET, which does not use SessionState by default. I made some alterations and uploaded to a site for testing, and things were working. SessionState was only enabled for specific pages at this point.

    I then updated the web.config to have the entire site use SessionState, and then the cookies wouldn’t work at all with IE7, but they worked perfectly with Firefox.

    My fix was to just delete all temp files and cookies in IE7, and then it started working again.

  23. ma says:

    BTW, my issue above was specific to ASP.NET, but the fix may help with any other similar development issues.

  24. Shay says:

    2.5 hours of trying to figure this out. Then I was sent this article. 5 minutes later someone pointed out that _ is not an allowed character in domains.

    http://www.faqs.org/rfcs/rfc1035.html

    “The labels must follow the rules for ARPANET host names. They must start with a letter, end with a letter or digit, and have as interior
    characters only letters, digits, and hyphen. There are also some restrictions on the length. Labels must be 63 characters or less.”

  25. Hey, you saved my life! Finally I can stop changing my source over and over and just set the right time on the server^^

    Thank you a lot!

    Remo

  26. Snevi says:

    This issue is amazing… half an evening expend in this.
    Thanks IE (sarcasm and a little hate)
    And Thank U Guys (real appreciation) :D
    The underscore thing was the problem. But in any case the time tip is important to be aware.

  27. Mikey says:

    Haven’t checked IE6 but removing the underscores from my sessions has fixed IE7.

    Thank you very much to the posts in the this thread that suggested doing this.

    Very happy chappy!

  28. Jim says:

    SOLUCIONADO:
    SOLVED:

    Es SIMPLE, Cuando declaren la cookie y escriben en el EXPIRE: time()+60*60*24*30, cambien los 60’s por 120 asi: time()+120*120*24*30. A m’i me funcion’o a la perfeccion.

    Its simple, when you declare the cookie, at the expire time “time()+60*60*24*30″, change los 60’s by 120 so: time()+120*120*24*30. It worked for me.

  29. Richard says:

    I tried all the solutions above without success.
    dont know where else to go.

  30. Teye Heimans says:

    I also experienced some session problems. I my case it was a file named “boxsizing.htc” which did not exist and somehow expired the session in internet explorer??? After fixing that problem, the session problems where over.

    I found a great free tool named “fiddler” which allows you to see the headers of the request and response of the server. This tool helped me solving the problem.

  31. Sashi says:

    Try to change the IE privacy settings and it worked for me. Always allow session cookies.

  32. Les says:

    I only noticed a problem after an update to IE8 currently there is no problem however switch to (wtf? – who dreams this sh*t up?) compatability mode just throws everything.

    Changing the settings has no effect in this (wtf?) compatability mode so I guess Microsoft just like to screw us developers over because we like Firefox more than their (honking) browser?

    I bet you that is the reason :(

  33. IE 6 has got so may problems that it just pisses off. It is a total hell to use IE 6 nowadays.

  34. Misko says:

    Thanks mate, you save me a lot of hassle!!! my local virtual machine’s date was 3 days late..

    thanks a ton!

    m.

  35. pradeep says:

    We are having a similar issue where multiple iframes are involved. After logging in only one of the iframe gets the session and other iframe does not get session. All requests are considered new and new sessions get created.

    Instead if load the iframe seperately in a new tab than from an iframe and then proceed, everything works fine even from the application.
    That means now all requests originating from the browser are attached to a particular session in browser.

    Any clues??

  36. Saugata Roy says:

    Thanks a million times over. I was struggling with the authentication mechanism of a website for the last few days. IE was inexplicably logging out users automatically. After reading your post I checked the server time. Turns out the server time was not in sync. Temporary workaround was to increase the cookie expiry time by a few hours.

  37. Why internet explore rejected cookies.and i don.t like IE7.They don’t much faster as compare to chrome.

  38. pmb says:

    Thanks a lot !!!! This “underscore” bug drives me crazy. Your the only reference of that problem i have found so far.

    What a relief.
    Thank you, merci, domo aligato, gracias …….

  39. [...] aber im Internet Explorer nicht. Ich schließe daraus, dass es ein Problem mit dem Cookie gibt. Hier ist die Symptomatik ziemlich exakt beschrieben, aber ich versteh den Lösungsansatz nicht. Ist das [...]

  40. ManOwaR says:

    It was a problem with the way IE handles “_”. Eliminating
    the “_” ( underscore ) finally helped.

  41. encanodon says:

    I have the same problem and it’s SOLVED now.

    Reference: http://www.dmitri.me/blog/ie-session-bug-is-solved/

    The blank or empty attribute’s values of any IMG tags cause the problem.
    For me, I used JavaScript to change IMG object’s source to an empty value.
    Doing that could also make the problem.

  42. Wil Welsh says:

    Asp.net server machine created on VMware Labmanager was rejecting ie8 cookie. Labmanager allows creation of an underscore in the machine name, which triggers IE8 security policy.

  43. daniel says:

    I’ve got the similar problem – captcha code stored in session variable was allways different in captcha image (a script generating picture) and in main page. But only in IE. In other browsers (FF, Chrome, … ) everything was fine.

    The reason was a facebook like button inserted via FBML – this technology causes page reload – it means captcha reload.

  44. [...] I decided to give my faith to the lord, Google. After some search queries I found an intresting blog post with the topic “Session cookies rejected by Internet Explorer”. A comment by [...]

  45. nyo says:

    I also had IE 6 problem for session, It was cold with
    ob_start();
    //script here
    ob_end_flush();

  46. Thank you!!!! For sharing this. So obscure :)

  47. I am happy to find this post very useful for me, as it contains lot of information. I always prefer to read the quality content and this thing I found in you post,Thanks for sharing.

  48. brynner says:

    Thank You Very Much! It works on IE8.

    header(‘P3P: CP=”IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT”‘);

  49. Courses says:

    What’s up, I log on to your blogs daily. Your story-telling style is witty, keep up the good work!

  50. Carlos says:

    thanks so much. you save my time

  51. IVG says:

    The underscore in subdomain is still an issue with IE 9 and its 2013 now. Insane

  52. VectraSoft says:

    Worth reading this thanks…:)

  53. Very useful ideas you have shared here. Amazing! I appreciate that. Thanks for sharing this incredible stuff

  54. Joni says:

    Thanks a lot,I was facing issue since 2 days and finally your code resolved this. You are genius man.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Twitter Updates

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: