[ic] Sessions and secure pages without cookies.

[Jamie Neil]

We've been having intermittent reports of checkout problems in the last 
few months (since the site started to get busy), but haven't been able 
to pin it on anything.

However today I traced a particular checkout problem through the logs 
and realised that the session id was changing as the user went from the 
insecure pages to the secure ones. I thought I'd tested this pretty 
thoroughly, but obviously not thoroughly enough :(

So I did some tests, and this is what I found:

1) If cookies are enabled then everything works fine.

2) If cookies are disabled then everything is ok in the normal part of 
the site - all the URLs have session ids and the basket works fine. But 
as soon as you enter a secure page, the session is dropped and all 
subsequent links have a new session id.

3) If you continue with this new session after the basket has been 
dropped then the session seems to stick - entering secure pages no 
longer drops the session id.

I've checked this on both our live (4.9.7) and development (5.0) 
servers; IE6 and Mozilla; Mall No and Yes; FullUrl No and Yes; same 
problem in all cases.

Our URLs are www.sitename.com for both normal and secure pages, and we 
use Apache rewrites to map / to /cgi-bin/catalog.

I hope that the number of people who have cookies disabled is relatively 
small, but I'm concerned that this is may also be affecting users with 
cookies enabled who are browsing through a proxy farm.

I'm going to have a go at removing the URL rewriting to see if that 
makes a difference, but after that I'm stumped :(

-- 
Jamie Neil | <jamie at versado.net> | 0870 7777 454
Versado I.T. Services Ltd. | http://versado.net/ | 0845 450 1254