Why does PHP not save session variables for specific users with Internet Explorer?

Question

I have a problem with a website where PHP does not save session variables for specific users with Internet Explorer. But for some other users with Internet Explorer there is no

Answer 1

I can't exactly tell you why on/after the first request, the cookie seems to get lost. (That is what I guess is going on.) And why on/after the second request is does NOT get lost.

Perhaps indeed a caching issue. Check the Developer tools, and look at what exactly is going on in the network tab. Is the first request coming in with a 200 - OK, and does the response contain a cookie header? Or is it indeed cached, as one of the comments suggested?

But in the end you should actually implement correct session id passing (read it). This is meant for people who dont want or can't handle cookies.

Basicly it means changing:

<a href="test3.php">Next</a>

into:

<a href="test3.php?<?php echo htmlspecialchars(SID); ?>">Next</a>

or:

enabling --enable-trans-sid

Now when PHP notices sessions are not passed by cookies, it will give them along in a less secure way, in the URL. Especially in this case you would need session_regenerate_id().

edit: Ow yeah, I wanted to mention it earlier, but then thought it couldn't be it. But on second thought I will still mention it! :

Cookies are domain specific by default. If the user goes to http://yourdomain.com (without www.) , and the second request goes to http://www.yourdomain.com , the cookie will not survive the domain change! Thus affecting your session.

To fix this, either set the session cookie domain, or always use the same domain (either with, or without www.)

Answer 2

I will posit this, in lieu of waiting for someone with specific knowledge of PHP's session mechanism:

I work mostly with ASP.NET, and the Session object uses a cookie to persist data across requests. If PHP works the same way, the most obvious conclusion is that the users with session issues either have cookies disabled or are using software that only allows whitelisted domains to set cookies. I will see if I can find any facts to back this theory up...

From the PHP manual (http://www.php.net/manual/en/intro.session.php):

This is either stored in a cookie on the user side or is propagated in the URL.

Answer 3

I figured out that the users that were having the problems all had Chrome Frame installed. I verified this by installing Chrome Frame on a local machine, and in this case I was able to replicate the problems.

The problems were caused by the fact that our server has Suhosin installed. The following Suhosin settings were enabled:

suhosin.session.cryptua
suhosin.cookie.cryptua

This means that the User Agent string is also a part of the identification of a user's session. Normally this is not a problem, but for users with the Chrome frame installed the User Agent string differs between the first request and the subsequent requests. After disabling these Suhosin settings there were no more problems.

Answer 4

First of all, you should verify your php.ini session configuration, especially cookie duration. Add section to your question. Install Fiddler on a client which is giving you the error and produce a full http dump of the session. This should be help you to track down the problem easily.