I have a PHP site that uses a fairly common authentication scheme.
- The entire login area requires ssl.
- A user enters their username and pw, if they match the db, a session is started and a value set for them.
- If they try to visit a page that requires authentication, it checks to see if that value is present in the session, and forwards them to the login page if it isn’t.
We always get a few people that have trouble loggin in because they aren’t set to use session cookies, or they have problems with the cache stroring the forward page, etc.
Lately, however, we have had a lot of people with IE who can’t login. Fixing their session cookie settings and clearing the cache don’t help, but they can login if they use firefox/opera on the same computer. I’m pretty sure it’s a problem with IE, and not anything in between.
Does anyone know of any recent changes to IE 7 that would affect session cookies?
Update:
I did recently implement a session_regenerate_id() call immediately after login, as there are now some circumstances where a user may have an existing session that will be used, but that was quite some time ago.
My first step would be to find a user who can log in with Firefox and not IE, and then run Fiddler against both to see the differences in the HTTP request/response pairs for the login process. That should, at least, give you a better idea of where to look.