I'm currently running into a situation where Internet Explort (IE) is
causing problems with setting the session id in cookies. Of course it works
just fine with Firefox.
Here's the code situation, we're being passed a user from a secondary server
(running windows) to an authentication page that the user has no clue they
are being passed to. The page basically verifies the user and gets their
informatoin with a token passed from the other server. Once verified, it
redirects the user to the index page using headers after a user object has
been created in a session:
/* Create the user object */
$user = new User();
if($user->authenticate($dbh, $userID, $origCompanyID, $companyID)) {
/* Start the session */
session_start();
/* Save the user object */
$_SESSION['User'] = $user;
session_write_close();
/* User has logged in, send them to the main page now */
header("Location:/index.php");
exit();
} else {
/* Token information did not correspond to our information */
header("Location:/loginerror.php");
exit();
}
I've tracked down that the auth is working correctly, the problem comes into
play when the user goes to index.php which checks to make sure the user
object has been set. There is no session information that carried over
because the cookie was not set.
The default IE browser privacy level is set to Medium (which I'm assuming is
default since I hadn't changed it). Under this privacy level, the session
can not be set. This includes:
- Blocks third-party cookies that do not have a compact privacy policy
- Blocks third-party cookies that use personally identifiable information
wihtout your implicit consent
- Restricts first-party cookies that use personally identificable
information without implicit consent
Not if we change the privacy level to Low, it works correctly and the cookie
for the sessions is saved. Under this privacy level, the session can not be
set. This includes:
- Restricts third-party cookies that do not have a compact privacy policy
- Restricts third-party cookies that use personally identifiable information
without your implicit consent
Just curious if anybody know how I can fix this bit of code so that I can
use cookies to store the session id since I prefer not to place it in the
url. I know url is an option though. The server this is running on is
addressed by an IP and not a hostname, so not sure if that might be the
issue for storing the cookie. Also not sure if it's because it's restricting
first-party cookies that use personally identifiable information without
implicit consent.
Any help / information would be appreciated. Please don't respond how this
could be more secure adding this and that security checks because this is
only partial code, didn't add the additional security checks I placed in
here.
