Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

Web and WebWorks Development

New Developer
Posts: 1
Registered: ‎01-06-2009
My Device: Not Specified

HTTPS and php session_regenerate_id

[ Edited ]

Disclaimer - I am a complete noob with the Blackberry.  I have performed most all of my testing with the simulators. 


A user contacted me regarding a problem he encountered when accessing to our website via his Blackberry 8830.  We have a public portion of our site and a secure signon required portion.  His problem arose when he attempted to sign on.  It appeared to him that his user credentials were not accepted.  Our logs indicated that his credentials were indeed accepted but that on redirection to a "start" page the user's session information was lost.


I was able to reproduce this problem using the simulator for the 8830 ( and the MDS simulator.  I was also able to isolate the apparent cause of the problem, the php command session_regenerate_id.  I created a simplied representation of our authentication model for testing purposes.  Essentially we have the following flow


page1.php -> links to -> page2.php -> redirects to -> page2re.php


For the php-ers, the code looks like this: 




// page1.php@session_start();

echo '<html><body>Welcome to page #1';

echo '<br /><a href="page2.php">page 2</a></body></html>';




// page2.php


// emulates _destroy

$_SESSION = array(); // Unset session variables

if (isset($_COOKIE[session_name()])) { // Delete session cookie

setcookie(session_name(), "", time()-42000, "/");


@session_destroy(); // Finally, destroy session


// emulates _create




$_SESSION['time'] = time();

header("Location: page2re.php");





// page2re.php


echo '<html><body>Welcome to page #2 Redirect<br />';

echo $_SESSION['loginIP']."<br />";

echo date("H:i:s",$_SESSION['time'])."<br />";echo '<br /><a href="page1.php">page 1</a></body></html>';



This code works fine in IE, Firefox, Chrome and even in Opera Mini on the Blackberry.  When run in the browser on the Blackberry I have found only two scenarios that make it work:



  • remove the session_regenerate_id command, or
  • use http instead of https.



This problem can be seen here :


http://www.ftlife.com/page1.php and https://www.ftlife.com/page1.php 


Clicking on the page2 link should give you a page with your IP address and the time of the redirection.  When the https scheme is chosen the $_SESSION is empty (as the wrong one is requested - the original session, not the regenerated session) and consequently no values are found or displayed.  


As this code (or, more precisely, the original code) is part of our authentication model we will not be able to change the requirement to use http.  So, that leaves me with session_regenerate_id and why does it not work with the Blackberry browser.  I suspect that this is related to the various Set-Cookie headers generated in the page2.php as I have found information that leads me to believe multiple cookies can be problematic.  However, I been unable to prove this conclusively.


At this time my best workaround seems to be to interrogate the User Agent and handle Blackberry browsers differently.  This is not my favorite choice to make.   Any insights on how to best resolve this issue would be appreciated.  Thanks.


- Chet 




Message Edited by sealless on 01-06-2009 11:14 AM
Message Edited by sealless on 01-06-2009 11:16 AM
Message Edited by sealless on 01-06-2009 11:18 AM
Message Edited by sealless on 01-06-2009 11:20 AM
BlackBerry Development Advisor
Posts: 15,882
Registered: ‎07-09-2008
My Device: BlackBerry PRIV
My Carrier: Bell

Re: HTTPS and php session_regenerate_id

I've been able to reproduce the behaviour you are seeing.  The issue does seem to relate to the way the BlackBerry handheld handles cookies.  When using HTTP, cookies can be handled by either the MDS Connection Service or BlackBerry handheld (depending on how it is configured).  When using HTTPS, cookies are always handled by the BlackBerry handheld.


I also tried your sample pages in some other versions of BlackBerry handheld software and have found that the issue has been resolved in BlackBerry handheld software version 4.5.0.  So your users may be able to upgrade your site and use your existing authentication scheme.

Mark Sohm
BlackBerry Development Advisor

Please refrain from posting new questions in solved threads.
Problem solved? Click the Accept As Solution button.