Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

Web and WebWorks Development

Reply
New Developer
sealless
Posts: 1
Registered: ‎01-06-2009
My Device: Not Specified

HTTPS and php session_regenerate_id

[ Edited ]

Disclaimer - I am a complete noob with the Blackberry.  I have performed most all of my testing with the simulators. 

 

A user contacted me regarding a problem he encountered when accessing to our website via his Blackberry 8830.  We have a public portion of our site and a secure signon required portion.  His problem arose when he attempted to sign on.  It appeared to him that his user credentials were not accepted.  Our logs indicated that his credentials were indeed accepted but that on redirection to a "start" page the user's session information was lost.

 

I was able to reproduce this problem using the  4.2.2.66 simulator for the 8830 (2.7.0.23) and the MDS simulator.  I was also able to isolate the apparent cause of the problem, the php command session_regenerate_id.  I created a simplied representation of our authentication model for testing purposes.  Essentially we have the following flow

 

page1.php -> links to -> page2.php -> redirects to -> page2re.php

 

For the php-ers, the code looks like this: 

  

 

<?php

// page1.php@session_start();

echo '<html><body>Welcome to page #1';

echo '<br /><a href="page2.php">page 2</a></body></html>';

?>

 

<?php

// page2.php

@session_start();

// emulates _destroy

$_SESSION = array(); // Unset session variables

if (isset($_COOKIE[session_name()])) { // Delete session cookie

setcookie(session_name(), "", time()-42000, "/");

}

@session_destroy(); // Finally, destroy session

session_start();

// emulates _create

@session_start();

session_regenerate_id();

$_SESSION["loginIP"] = $_SERVER["REMOTE_ADDR"];

$_SESSION['time'] = time();

header("Location: page2re.php");

exit();

?>

 

<?php

// page2re.php

session_start();

echo '<html><body>Welcome to page #2 Redirect<br />';

echo $_SESSION['loginIP']."<br />";

echo date("H:i:s",$_SESSION['time'])."<br />";echo '<br /><a href="page1.php">page 1</a></body></html>';

?>

 

This code works fine in IE, Firefox, Chrome and even in Opera Mini on the Blackberry.  When run in the browser on the Blackberry I have found only two scenarios that make it work:

 

 

  • remove the session_regenerate_id command, or
  • use http instead of https.

 

 

This problem can be seen here :

 

http://www.ftlife.com/page1.php and https://www.ftlife.com/page1.php 

 

Clicking on the page2 link should give you a page with your IP address and the time of the redirection.  When the https scheme is chosen the $_SESSION is empty (as the wrong one is requested - the original session, not the regenerated session) and consequently no values are found or displayed.  

 

As this code (or, more precisely, the original code) is part of our authentication model we will not be able to change the requirement to use http.  So, that leaves me with session_regenerate_id and why does it not work with the Blackberry browser.  I suspect that this is related to the various Set-Cookie headers generated in the page2.php as I have found information that leads me to believe multiple cookies can be problematic.  However, I been unable to prove this conclusively.

 

At this time my best workaround seems to be to interrogate the User Agent and handle Blackberry browsers differently.  This is not my favorite choice to make.   Any insights on how to best resolve this issue would be appreciated.  Thanks.

 

- Chet 

 

 

 

Message Edited by sealless on 01-06-2009 11:14 AM
Message Edited by sealless on 01-06-2009 11:16 AM
Message Edited by sealless on 01-06-2009 11:18 AM
Message Edited by sealless on 01-06-2009 11:20 AM
Please use plain text.
Administrator
MSohm
Posts: 14,404
Registered: ‎07-09-2008
My Device: BlackBerry Z30, BlackBerry PlayBook
My Carrier: Bell

Re: HTTPS and php session_regenerate_id

I've been able to reproduce the behaviour you are seeing.  The issue does seem to relate to the way the BlackBerry handheld handles cookies.  When using HTTP, cookies can be handled by either the MDS Connection Service or BlackBerry handheld (depending on how it is configured).  When using HTTPS, cookies are always handled by the BlackBerry handheld.

 

I also tried your sample pages in some other versions of BlackBerry handheld software and have found that the issue has been resolved in BlackBerry handheld software version 4.5.0.  So your users may be able to upgrade your site and use your existing authentication scheme.

Mark Sohm
BlackBerry Development Advisor

Please refrain from posting new questions in solved threads.
Problem solved? Click the Accept As Solution button.
Found a bug? Report it using Issue Tracker
Please use plain text.