Phine Solutions web work notes

So I ran into this issue. It appears under certain set up, IE will reject a session cookie, or randomly drops them. I use PHP session to store user authentication information and some of my IE users were not very happy about not being able to log in or getting kicked out of a login session randomly.

The biggest challenge is to duplicate the issue. IE’s security and privacy settings can both affect the way it handles the cookie, and even the same settings on different PCs can have the different result. It is absolutely frustrating to have users shouting at you “This doesn’t work!” while everything works perfectly fine on my own machine.

After a lot of research I ended up completely abandon the session approach and use a database back end to handle the user authentication sessions. A regular cookie is still necessary to store a token (ex. a user id) to identify the user, but instead of using the SESSION variable, I use a database table to store the user token and the last access time. This will certainly complicate the setup – a cron job has to be installed to perform the database clean up; and the increasing the database queries – basically for each access from a “tokened” user I’ll need to update the last access time – will also add some tolls to the performance. However the payoff is also obvious. I don’t have to worry about the different IEs out there, who may behaves differently and sometimes in unexpected mysterious ways thanks to Microsoft, to reject my delicious cookies.

Just for the sake of discussion, there may be a number of reasons that cause IE to reject session cookie:

1. To many cookies from a site, or IE runs out of temporary space. There is a max number of cookies that a site can send. I think 20 is the limit. A lot of good discussions can be found on this thread.

2. IE’s P3P implementation might also have something with it. This is a good article about IE’s Eye of Sauron. There are some suggestions to bypass this by adding a P3P header, which is as simple as a line of characters to your pages. I don’t like the idea mostly because this is not the right way to fix a problem which shouldn’t exist in the first place.

3. There might be a slightly chance that your server time stamp is out of sync. For example when you set a regular cookie use something like “time() + 28400″ in your PHP code to specify the expiration time, wrong time stamp might put your cookie in the history already. This issue is a lot easier to spot since none of your sookies work, not just the session cookies.