This post refers to DotKernel 1, based on Zend Framework 1.
If you are looking for DotKernel 3 related posts, go here.

We found a strange behaviour of sessions in one of our project, running DotKernel version 1.5.0

Similar to this one described here

In unknowns circumstances, and only in IE 8 and IE9 , the session cookie is not saved on client machine, and the user need to login over and over again. I was able to reproduce that behaviour once, on our staging server , and the only way to fix that was to open a new tab with the same page (?!?!?)

Anyway, is still an enygma. So i started to investigate Dot_Session class, and notice that the session cookie is generated 3 times !! See this bug report.

I noticed that we use both regenerateID()  and rememberMe()  methods of Zend_Session, , which is   not necessary
Quote from ZF documentation:

If you call the rememberMe() function, then don’t use regenerateId(), since the former calls the latter.  If a user has successfully logged into your website, use rememberMe() instead of regenerateId().

So i removed regenerateID() call,   also added 2 new settings in application.ini  related to session : use_only_cookies, which must be ON all the time in order to avoid session fixation , and remember_me_seconds.

Those small bug fixes will be included in the new DotKernel version 1.5.1 which will be released  next days.

TIP

if you encounter the same issue in IE8 and IE9 , then with all regret, you need to de-activate the rememberMe() and regenerateId() methods calls.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>