[ic] Norton BHO causing session loss
Gert van der Spoel
gert at 3edge.com
Thu Mar 3 21:06:20 UTC 2011
> > > > Gert said
> > > > > IC 5.6.3:
> > > > > FullURL 1
> > > > > NoAbsolute Yes
> > > > > MaxServers 5
> > > > > PIDcheck 300
> > > > >
> > > > > Aapche:
> > > > > SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
> > > > > downgrade-1.0 force-response-1.0
> > > > >
> > > > > NotRobotUA includes MSIE
> > > > >
> > > > > I am seeing people getting a new session ID when travelling to an
> SSL
> > > > > encrypted page.
> > > >
> > > > This is when they go from NonSSL to SSL for the same site?
> > >
> > > Hi Gert
> > >
> > > Are you asking if my http & https servers the same server? Yes.
> > >
> > > > And after that? Does it keep the session ID or does it keep >
changing?
> > >
> > > I end up with two session ID's, one for http and one for https, and
once I
> > > have them they stay the same. So when on http pages, the session ID is
> > > always 123, and when on https, it's always ABC, it doesn't keep
chaning
> > > each time I make the transition.
> > >
> > > > And when you start directly on SSL does it keep it or does it
change?
> > >
> > > Interesting, if I arrive on the site in https, I get and keep a single
> > > session ID, so it works in that respect.
> > >
> >
> > So the problem happens the moment someone goes from HTTP to HTTPS for
this
> > website (checkout pages, login pages etc) ... They start out on
> > http://www.domain.com/ ... happily going, session ID is the same, then
> > they go do something that requires SSL get directed to
> > https://www.domain.com/ ... this causes getting a new session ID, which
> > then stays the same while continuing to surf ... right?
>
>
> Exactly. This new https session ID stays the same only when on https
pages, so if I go back to http pages, I get my old session ID back again,
and if I go to https again, I get that same "new" session ID back. So it
continues to flip flop as I move around across http/https.
>
>
> > Does the site work with cookies? Or you pass along the session ID in the
> > URLs everywhere? I assume cookies and perhaps there something goes wrong
> > when going from http to https ...
>
> The site works fine with Cookies on or off.
>
> Any idea where to concentrate?
Nope ... But to be absolutely sure regarding the cookies:
When you switch off cookies in the browser, clear them make sure they are
really gone (remove history, cache and whatever else there is to remove to
be absolutely sure there are no cookies anymore around) and start a
completely new browser, surf to the site on http, go around and see your
session ID .. then when you go to a https page, it changes or it stays the
same?
More information about the interchange-users
mailing list