Forum OpenACS Development: Cookie problems in IE on very old version of OACS
I moved a very old 3.x based site from an old Linux server to a new one. This involved upgrading a number of things, including AOLserver (because I couldn't get the old version to build, and it didn't seem worth the effort to try). I thought everything was working fine until we discovered that IE users can't log in. No problem for Safari or Firefox, just IE.
I traced it down to the ad_session_id cookie. If one is using a sane browser, the cookie is written like so:
24698311,8645,aWDAN94COzn2OJxUFsMysXGu8EwX0FLr,1253291978; Path=/; Max-Age=86400
and read back as
However, if one is using the devil's browser :), it gets written properly:
24700551,8645,izOJSRoH5HeejpBwNjQm7Y1BugyQSaJk,1253291697; Path=/; Max-Age=86400
but reads back like this:
Two things have changed - the user_id is now zero, and the last_issue timestamp has increased.
I know this looks like it is being written again somewhere else, but I've examined every instance of ad_session_id everywhere in the code (it only appears in tcl/ad-security.tcl) and put an ns_log statement in ad_set_cookie and there is no sign of it being set again. I have read it back right after setting and it is correct at that point.
It really makes no sense; it looks like there must be some code rewriting the cookie that I have not found, but how could that possibly happen only for Internet Explorer???
Has anyone run into anything like this? I have Googled, but nothing even remotely similar is coming up.
I have IE 7; the client says they have also verified it happens with IE 8.
If I know what version of OpenACS you're running, I might be able to track down whether or not that version includes the case, and if not perhaps a fix..
I don't seem to have ad_verify_signature. What file is it supposed to be in?
What happens is that the user goes to ecommerce/checkout.tcl, and ad_verify_and_get_user_id sends them off to log in. The ad_session_id cookie is written properly at this point (I have read it back and verified that it is correct). Then they go back to checkout.tcl, which calls ad_verify_and_get_user_id which should succeed this time, but does not because when that cookie is read back in this time, the user_id is set to zero as you can see in my original post (it is the second field, delimited by commas).
It seems logical that something else is messing with it in the meantime, but I cannot figure out where that's happening.
I have grepped the code for IE-specific stuff but didn't find anything cookie-related. If you know of something, please let me know.
Dave's suggestion of watching the HTTP traffic is probably my best bet at this point.
Thanks guys - if you come up with anything else, I'm all ears (eyes? :).