[ic] Sessions and secure pages without cookies.

[Jamie Neil]

Jamie Neil wrote:

> We've been having intermittent reports of checkout problems in the last 
> few months (since the site started to get busy), but haven't been able 
> to pin it on anything.
> 
> However today I traced a particular checkout problem through the logs 
> and realised that the session id was changing as the user went from the 
> insecure pages to the secure ones. I thought I'd tested this pretty 
> thoroughly, but obviously not thoroughly enough :(
> 
> So I did some tests, and this is what I found:
> 
> 1) If cookies are enabled then everything works fine.
> 
> 2) If cookies are disabled then everything is ok in the normal part of 
> the site - all the URLs have session ids and the basket works fine. But 
> as soon as you enter a secure page, the session is dropped and all 
> subsequent links have a new session id.
> 
> 3) If you continue with this new session after the basket has been 
> dropped then the session seems to stick - entering secure pages no 
> longer drops the session id.
> 
> I've checked this on both our live (4.9.7) and development (5.0) 
> servers; IE6 and Mozilla; Mall No and Yes; FullUrl No and Yes; same 
> problem in all cases.
> 
> Our URLs are www.sitename.com for both normal and secure pages, and we 
> use Apache rewrites to map / to /cgi-bin/catalog.
> 
> I hope that the number of people who have cookies disabled is relatively 
> small, but I'm concerned that this is may also be affecting users with 
> cookies enabled who are browsing through a proxy farm.
> 
> I'm going to have a go at removing the URL rewriting to see if that 
> makes a difference, but after that I'm stumped :(

Removing the URL rewriting has no effect either.

However when I set the catalog to WideOpen it works fine. Don't really 
feel comfortable running like that though - makes me feel exposed ;)

-- 
Jamie Neil | <jamie at versado.net> | 0870 7777 454
Versado I.T. Services Ltd. | http://versado.net/ | 0845 450 1254