Eric
Posts: 17314
Joined: 10/10/2003 From: Seattle, WA Status: offline
|
Ed gave me the information I needed to know to understand what is going on. It actually jibes with what some earlier folks told me, but I thought they were reversing the SSL and non-SSL data. Alas, we are indeed hitting an IE bug with cookie handling and a truly bizarre one at that. I don't really know how to reproduce it, bit I am going to see if I can. Also, knowing the nature of the buggy state, I think I should be able to guard against it. The technical explanation: - CellarTracker write two "authentication" cookies, User and PWHash. It sets a "secure" flag on these cookies, so that they cannot be seen if a user is not browsing via SSL.
- However, if a logged-in user clicks on a link to a non-HTTPS page, it has no way of knowing that the user should be logged in. So by default you would just be a guest even if the computer has valid authentication cookies (since they cannot be seen on the non-SSL page). So CellarTracker writes a third cookie "SSLAuth" and makes sure it is NOT marked as secure.
- Thus when you go to an HTTP page, if SSLAuth=TRUE then it redirects to SSL. However when trying to login on the SSL page, if there are no valid User and PWHash cookies the it clears the SSLAuth cookie and sends you back to HTTP.
All should work. However, in Ed's case he had an SSLAuth cookie and nothing else. To make things MORE strange, the SSLAuth cookie cannot be see when browsing on an SSL page, only when on the insecure page. The thing is, there is no such thing as cookie that does this. Either a cookie is only visible on HTTPS OR it is visible for HTTP and HTTPS. There is no such thing as a cookie that only appears on HTTP. So now that I know at least what sort of sickness IE has, the question is how do I break the loop? I have a number of ideas that I will try to today, but it's tough to break the loop without understanding what will and will not work on IE and the true nature of the IE bug and how to make it reproduce. Uggh. Why, why, WHY is it always IE that makes things difficult?
_____________________________
Cheers! -Eric LeVine http://twitter.com/cellartracker http://facebook.com/cellartracker
|