Re: [google-chrome-frame:3213] Problem with php sessions and ChromeFrame

[Alex Russell]

This is the first we've heard of PHP session generation behaving this way. I'm surprised it's UA dependent. Are you not using cookies for sessions?

On Tue, Aug 21, 2012 at 11:55 AM, Andres Lartigue Debian <andres....@gmail.com> wrote:

Hello,

I'm having a very hard time trying to understand a problem caused by chromeFrame on IE.

Server is creating new sessions each time the page reloads. We think it's caused by the change of the User Agent when the page loads, it's sending MSIE on top of the page and Chrome for the rest of it.

Is there a solution to these session generation ?

Thanks

Andrés

--
You received this message because you are subscribed to the Google Groups "Google-chrome-frame" group.
To view this discussion on the web visit https://groups.google.com/d/msg/google-chrome-frame/-/In73fHrtipYJ.
To post to this group, send email to google-ch...@googlegroups.com.
To unsubscribe from this group, send email to google-chrome-f...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-chrome-frame?hl=en.

[Andres Lartigue Debian]

Yes, we're using cookies. I don't have control over the server, but I'd say that it's the default config.

El martes, 21 de agosto de 2012 13:27:30 UTC+2, Alex Russell escribió:

This is the first we've heard of PHP session generation behaving this way. I'm surprised it's UA dependent. Are you not using cookies for sessions?

On Tue, Aug 21, 2012 at 11:55 AM, Andres Lartigue Debian <andres....@gmail.com> wrote:

Hello,

I'm having a very hard time trying to understand a problem caused by chromeFrame on IE.

Server is creating new sessions each time the page reloads. We think it's caused by the change of the User Agent when the page loads, it's sending MSIE on top of the page and Chrome for the rest of it.

Is there a solution to these session generation ?

Thanks

Andrés

--
You received this message because you are subscribed to the Google Groups "Google-chrome-frame" group.
To view this discussion on the web visit https://groups.google.com/d/msg/google-chrome-frame/-/In73fHrtipYJ.
To post to this group, send email to google-ch...@googlegroups.com.

To unsubscribe from this group, send email to google-chrome-frame+unsub...@googlegroups.com.

[Alex Russell]

Can you point me at the app and/or tell me more about the server config? Or send the output of phpinfo()?

To view this discussion on the web visit https://groups.google.com/d/msg/google-chrome-frame/-/ED7DtqOAxN4J.

To post to this group, send email to google-ch...@googlegroups.com.

To unsubscribe from this group, send email to google-chrome-f...@googlegroups.com.

[Andres Lartigue Debian]

Hi,

We have find both the source of the problem and the solution. Our host had Suhosin Patch 0.9.7 installed. They've set the parameters suhosin.session.cryptua et suhosin.cookie.cryptua to off on php.ini, and everything works fine now.

Apparently it makes php a little less secure, but it works.

Thanks for your help,

Andrés

El miércoles, 29 de agosto de 2012 16:56:08 UTC+2, nathan...@gmail.com escribió:

In our specific case I solved it using this function

function getSaltFromRequest(){

$agent = $_SERVER['HTTP_USER_AGENT'];

$reg = '|(chromeframe/[0-9\.]+)|';

if(preg_match($reg, $agent)){

$matches = array();

preg_match_all($reg,$agent,$matches);

$agent = $matches[0][0];

}

return md5($agent);

}

It is a temp fix because it requires a less secure salting method, but a little salt is nice :)

On Wednesday, August 29, 2012 8:55:42 AM UTC-5, nathan...@gmail.com wrote:

FYI As an update, I found that our application is salting the session fingerprint using user agent, which is what is causing this issue, I wonder what a secure work around might be?

On Wednesday, August 29, 2012 4:08:16 AM UTC-5, Alex Russell wrote:

Can you point me at the app and/or tell me more about the server config? Or send the output of phpinfo()?

On Tue, Aug 21, 2012 at 3:13 PM, Andres Lartigue Debian <andres....@gmail.com> wrote:

Yes, we're using cookies. I don't have control over the server, but I'd say that it's the default config.

El martes, 21 de agosto de 2012 13:27:30 UTC+2, Alex Russell escribió:

This is the first we've heard of PHP session generation behaving this way. I'm surprised it's UA dependent. Are you not using cookies for sessions?

On Tue, Aug 21, 2012 at 11:55 AM, Andres Lartigue Debian <andres....@gmail.com> wrote:

Hello,

I'm having a very hard time trying to understand a problem caused by chromeFrame on IE.

Server is creating new sessions each time the page reloads. We think it's caused by the change of the User Agent when the page loads, it's sending MSIE on top of the page and Chrome for the rest of it.

Is there a solution to these session generation ?

Thanks

Andrés

--
You received this message because you are subscribed to the Google Groups "Google-chrome-frame" group.
To view this discussion on the web visit https://groups.google.com/d/msg/google-chrome-frame/-/In73fHrtipYJ.

To post to this group, send email to google-ch...@googlegroups.com.

To unsubscribe from this group, send email to google-chrome-frame+unsubscribe...@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/google-chrome-frame?hl=en.