First off, I'm not sure whether this is a problem in Opera 12.01 or not, but the problem only occurs in Opera. I've tested in FF14, Chrome 21, Safari 5 (Windows) and Safari Mac and Webkit browsers on Android and iPhone.
My application runs on the trigger.io forge platform and uses a proxy to route requests from the web application to the service. The proxy simply forwards the requests and cookies along and this works as expected in most of the browsers.
After inspecting the request in dragonfly, I noticed that the server sends the proper headers in the response, but Opera seems to be ignoring setting the values. I'm wondering whether this is due to some misconfigured path value for the cookie. I've attached screenshots of 2 requests in Firefox and Opera.
As you can see in the screens, FF sees the cookie headers and sets them appropriately, but Opera does not.
Firefox Request
Opera request 1 Screen
Opera Request 2 Screen
I haven't included the code from the proxy that does the request forwarding, so please let me know if you need that to gain some insight. On the service end, I'm running PHP and Codeigniter. Please let me know if I need to add any more info here on my environment, thanks.
UPDATE : This issue occurs even in my production environment which does not use a custom TLD. Other sites that use cookies work fine and cookies are enabled.
Double quotes are formally illegal in a cookie value. If you escape them as %22 it will work.
Have you checked if this is an issue with cookie domains ? I'm assuming you're using Javascript to set/read the cookies ? In any case there are 4 cookie domain issues that you might want to check (I know I've had these issue with an old FF version):
1 - check for illegal cookie characters: allowed cookie characters you might not be allowed to use '-' or '=' in the cookie name, and you shouldn't use non-ASCII characters in cookies at all. A base64 encode might deal with this.
2 - check that the domain on which you set your cookie (via javascript code or any other way) is identical to the domain on which the code is executed.
3 - check that the cookie domain is not localhost; see if you can test setting the cookie from a remote domain
4 - if you're using JS to set your cookies, try testing if you can set the cookie with a CGI in your browser to make sure it's not a browser issue. If it works which it should, see if you can read the cookie using JS (as opposed to setting it).
Let me know how this goes in the comments, I've dealt with similar issues a number of times and depending on what you get with these checks, I'm pretty sure I can help you fix the issue.
Have you checked the "leading dot" form of a cookie domain in setcookie. I've been using leading dots for years and only recently noticed my app wont set cookies on opera (chromium et al?) due to the leading dot which is part of a deprecated RFC. In opera, it's not that the leading dot gets ignored but the very setting of the cookie itself. I've removed the leading dot and its working now.
Looking at those Opera screenshots, they seem to be AJAX / XHR requests which are processed within the same second. Is it possible that Javascript is triggering both of those requests "simultaneously", so the response from the "first" is not arriving before the request for the "second" is constructed - and therefore the cookies have not yet been set?
I'm not familiar with the technologies/toolkits you're using, so don't know if these are stock code or part of your custom application.
Related
I'm developing an application in Joomla! 3.x which uses JWT cookies to grant some privileges. Everything works fine with Chrome, Firefox and Safari, but when it comes to Opera, my cookies are truncated.
How I set the cookies:
$inputCookie = JFactory::getApplication()->input->cookie;
$inputCookie->set("myCookie", $myCookie, 0);
Instead of a well-formed base64 encoding of a JWT, which I get on every other browser, Opera shows me only this:
o42io94enaeq3ellgfnafhdun3
Deleting the cookies does not work, since the cookie is always truncated when it gets stored.
Additional informations: Opera version is 46 on Mac. Using Opera 46 on Windows I have no problems with cookies.
It was the cache's fault. I still don't understand exactly what happened but it was simply solved by switching to private browsing.
The application uses redirects along with cookies and Opera probably cached some partial information (I still don't get how it managed to have only half a cookie, though). Switching to private browsing or otherwise deleting cookies and cache forced Opera to accept the whole cookie and everything worked. It seems to happen every few (about two or three) visit on the page.
This morning my local php starts behaving strangely: the session ID changes on each request (making sessions unusable).
The code:
<?php
session_start();
The same page is available through "localhost" and "test" which is a /etc/hosts entry for localhost.
Requesting this same file on "localhost": the PHPSESSID cookie stays the same; on "test" it changes on every request.
Absolutely nothing changed in my code (no BOM or buggy code) or in Apache's config. I may have updated PHP (5.4.4), but reverting to the previous version (5.4.1) showed the same behavior. The same code running on a remote server (php 5.3) has been running ok for ages.
It's probably a bug in PHP :( but before reporting, I want to be sure I didn't overlook anything.
Any idea?
Thanks for your amazingly fast answer.
In fact the browser works fine, everything is working fine, even PHP.
I just forgot I added a .htaccess clearing all cookies to upload to a CDN. The only thing I didn't check was the .htaccess.
I feel stupid (and tired).
Thanks again.
Install some software watching HTTP headers like
Live HTTP Headers Firefox addon https://addons.mozilla.org/en-us/firefox/addon/live-http-headers/
WireShark sniffer http://www.wireshark.org/
and check whether
Server sends the cookies as it should
Browser sends them back.
Probably the Cookie header contains settings which make Browser not to send it back, and therefore server generates a new cookie (new session) for every request.
Especially check the path setting of the cookie you send.
Also, it might be some new policy in browser, or a security plugin, or maybe antivirus... try different browser, or bare curl program, and disable web shield of your antivirus if applicable.
In my Zend Application, I am trying to make our authenticated users be automatically logged out when they close their browser.
For that I'd write following code:
ini_set('session.cookie_lifetime', 0);
And its working fine on browsers like Chrome, Safari, IE7 and IE8, but in case of firefox, users still remain logged on when they close their browser.
Does anyone know what is causing problem?
Thanks In advance...
A value of 0 indicates "session cookie" - i.e. one that the browser should destroy when the "session" is over and the browser is closed.
However:
Different browsers have different interpretations of exactly what a "session" is - some will destroy these cookies when your close the tab, some when you close the window, some won't destroy the cookies until all instances of the browser have been closed - all tabs in all windows.
Since cookies are stored and transmitted by the client, they are completely the responsibility of the client. You should not rely on cookies alone to control whether a user has a valid login because they are ridiculously easy to spoof, you should implement some kind of activity timeout as well.
Make sure you have actually ended your Firefox session when testing - close all open tabs and windows, and watch the process list to ensure there are no instances left. If you are still having a problem, you are probably looking at some kind of bug in Firefox (or maybe you've made some strange change in about:config) and you need to ask for Firefox-specific help - SuperUser.com would be a better place for that. One thing you can be fairly sure of is that if it works everywhere else, it's not a problem with your PHP.
I can't, for the life of me, figure this one out.
This site used to work fine in IE but now it refuses to set cookies. I have tested it in multiple versions on multiple computers and yet still no avail. It behaves normally in all other browsers. The source code hasn't changed, neither has any update been applied to the server.
setcookie() returns TRUE for that matter but I check and no cookie was set.
I checked the time of the server and it is accurate to the second. I have created a sample file with JUST setcookie() and on this domain it doesn't work. All others work properly. Even tried setting the required parameters to all. I have no clue as to what could be wrong.
Version Info:
PHP Version 5.1.6
Apache/2.2.3 (CentOS)
EDIT - SAMPLE CODE
setcookie("session", "e180564a1b6533ec5b0c63e8009d0bc27a90b226", time()+3600);
EDIT 2
It appears as though the client hired another development team who destroyed the DNS, has the A record pointed to another server and is forwarding all traffic via some means to the correct one without changing the URL in the address bar.
This one may have been solved.
Any ideas?
Are you sure that cookies are enabled in Internet Explorer? This is the most common cause in my opinion.
See http://kb.iu.edu/data/ajfh.html for reference.
I've seen IE security settings cause problems with cookies as well. I've never been able to narrow it down to a specific one, but sometimes a P3P header can help - see here for more information: http://articles.sitepoint.com/article/p3p-cookies-ie6/2.
Are the domains/subdomains proper ones? IE will not set a cookie if the domain does not follow the RFC. The most common cause for this is an underscore _ in the subdomain.
So I have been working on a project for a client on their current web site which has been in existence for quite some time. The version of PHP used is 4.4.7, and I am not in a position to ask them to upgrade. (The system is old and it could break something) This past week I made some changes to my project, everything worked fine cookies set, pages worked. I go to test the site earlier and all of the sudden the cookies no longer work. After 2 hours of troubleshooting I finally just set up a simple test page composed of this:
<?php
setcookie('eventCookie','1', time()+7200,'/','.levijackson.net');
echo $_COOKIE['eventCookie'];
?>
I put this on both their site as well as my own (I changed the .levijackson.net to the appropriate domain)
I did 2 refreshes of the page on both pages and only on mine did it return the cookie. So what could have caused something like this? Is there a certain setting that may have been changed by their admin/host?
I did test and HttpOnly cookies still work, so I am going to switch to them while I troubleshoot.
edit: Almost forgot to mention, it works fine in FF but in Chrome and IE it doesn't work at all. Not sure if this will be useful, but I still think that it is not the browser.
Thanks
Levi
Just a guess-- it could be that their server has auto_prepend_file enabled, and the file that is being auto-prepended outputs something to the client. Once anything is sent to the client, set_cookie() will not work, since cookies have to be set in the page header, which must be sent before anything is sent to the client.
If it's not that, try diff'ing the "PHP Core" section of a phpinfo() dump, looking for any other settings that might somehow affect this.
Edit: Here's something else you can try, if both sites are publicly accessible. Go here: http://web-sniffer.net/. This site will show you the actual HTTP headers which are being returned by the site. Run the test file for both sites, and look to see if there is any difference in the Set-Cookie headers which are returned.