Hi, I'm hoping someone understands sessions better than I do and can help me out. I'm noticing different behavior across browsers and I'm having trouble groking it. I'm serving a page with a form, and that form has an autocomplete field. So my drupal gets an initial request for the page, then subsequent requests for the autocomplete callback. I'm testing with Firefox and IE right now, and here's what I observe.... 1) Across all browsers and requests, the session_name() is the same. I believe this is because drupal computes a session name in conf_init(). The name depends on the URL only and not the browser. Am I correct so far? 2) From Firefox, the initial page request and subsequent autocomplete callbacks have the same session_name AND session_id. In other words the session cookie's name and value remain the same. The effect of this is that $_SESSION is shared between the normal page request and the ajax requests. 3) From IE7, the session_name remains the same across all requests, but the session_id() of the initial page request is different from the ajax callbacks. In other words the session cookie's value changes. So $_SESSION is not shared. Is this what I should be seeing? 4) Also from IE7, the session_id is new for ajax callbacks, yet drupal somehow knows which user is logged in. That is $_SESSION is not shared with the original page request, but the global $user is set correctly. How is this happening? Doesn't Drupal rely on the session_id to determine the user? Since session_id has changed shouldn't drupal think the ajax request is anonymous? Is what I'm seeing the way things are supposed to be, or have I somehow screwed up my install? Thanks, -Dave
3) From IE7, the session_name remains the same across all requests, but the session_id() of the initial page request is different from the ajax callbacks. In other words the session cookie's value changes. So $_SESSION is not shared. Is this what I should be seeing?
No. Browser's have a responsibility to always send back cookies to the domain+path that sent them. So if your ajax callback is sent back to the same domain and path as the session cookie, it has to be sent back. check the domain and path of the cookie and ajax callback carefully. You can control what path/domain the cookie gets set on using settings.php (see the comments there). Note that changing that can affect existing user's and their cookies.
4) Also from IE7, the session_id is new for ajax callbacks, yet drupal somehow knows which user is logged in. That is $_SESSION is not shared with the original page request, but the global $user is set correctly. How is this happening? Doesn't Drupal rely on the session_id to determine the user? Since session_id has changed shouldn't drupal think the ajax request is anonymous?
Is what I'm seeing the way things are supposed to be, or have I somehow screwed up my install?
Screwed up install, or browser, or other.
Moshe and all, Thanks for the clarification, you're correct that's how it should behave. The truth is I was mucking with the session_name() and session_id(). I find that if I don't muck, then the cookies are consistent even in IE. However, I have a good reason to muck with these values. I'm serving pages both on a regular website, and also in Facebook canvas pages (using iframes). I don't want the Facebook iframes to share session state with the normal web pages. So I call session_name() and session_id() with custom values. I do this in settings.php, before drupal calls session_start(). According to the PHP documentation, when session_start() is called, updated cookies are supposed to be sent. On reasonable browsers like Firefox this works as advertised. On IE, a cookie is set whose name is session_name(), but its value is not session_id(). I don't know where it's getting the value from. Has anyone else encountered this? Any ideas how to debug it? I'm looking for anything here as I really don't know how to diagnose problems with IE. -Dave On Friday 17 October 2008 11:47:03 Moshe Weitzman wrote:
3) From IE7, the session_name remains the same across all requests, but the session_id() of the initial page request is different from the ajax callbacks. In other words the session cookie's value changes. So $_SESSION is not shared. Is this what I should be seeing?
No. Browser's have a responsibility to always send back cookies to the domain+path that sent them. So if your ajax callback is sent back to the same domain and path as the session cookie, it has to be sent back. check the domain and path of the cookie and ajax callback carefully. You can control what path/domain the cookie gets set on using settings.php (see the comments there). Note that changing that can affect existing user's and their cookies.
[snip]
Screwed up install, or browser, or other.
My session problem on IE... The page in question was an iframe, and apparently IE is not inclined to send back cookies to iframes. Fun! I found what appears to be a solution here: http://james.jamesandkristin.net/2005/11/18/php-session-cookie-in-frames-usi... On Fri, 17 Oct 2008 17:26:35 -0700, "Dave Cohen" <drupal@dave-cohen.com> said:
Moshe and all,
Thanks for the clarification, you're correct that's how it should behave. The truth is I was mucking with the session_name() and session_id(). I find that if I don't muck, then the cookies are consistent even in IE.
However, I have a good reason to muck with these values. I'm serving pages both on a regular website, and also in Facebook canvas pages (using iframes). I don't want the Facebook iframes to share session state with the normal web pages.
...
participants (3)
-
Dave Cohen -
David Cohen
-
Moshe Weitzman