Many thanks to digital-ether and UrbanSky. I appreciate all your help on this thread.

For anyone else who uses cookies in your Web apps (that's probably most everyone), don't waste hours of your life trying to figure out why Internet Explorer just unexpectedly loses track of your session (i.e. discards the PHPSESSID cookie).

It's probably the 20 cookies per domain or 4 KB size limit enforced by Internet Explorer. Firefox allows up to 50 cookies per domain so it usually works fine. Keep in mind that your PHP session cookie counts as one of the 20, so you really have 19 cookies at your disposal.

Again, big thanks to digital-ether for your help on this thread. Gracias!

Regarding your problem of IE dropping session id - I encountered this after my ISP upgraded the version of PHP to 4.4.6, although I cannot say 100% that this is the cause, just my suspicion.

Anyway, I had a major breakthrough yesterday when I set the following in my .php before the session_start():

ini_set('session.cookie_domain','.yourdomain.com');

Alternatively you can set session.cookie_domain to '.yourdomain.com' in the php.ini file.

After that, at least on IE6, the problem with sessions getting lost stopped!

If this helps you out, then great. Let me know, as I am unsure whether it solves the problem on IE7.

Thanks for the advice. I'll keep that in mind.

My issue was definitely the 20 cookie limit per domain (a strange and very conservative interpretation of Section 6.3 of RFC 2109) enforced by Internet Explorer 6/7 as well as earlier versions.

I am having this problem as well and from what I can tell it has something to do with IE not accepting the SESSION ID cookie from any domain that has a hostname in front of the domain name in the url. IE will accept the cookie and hold on to it if your url looks like this https://somedomain.com but not https://somehost.somedomain.com (aka https://www.mydomain.net). I have an application that I developed which uses SESSIONS and this is what I have discovered while deploying it. If the customer does not use a host name in front of the domain name in the URL then IE will use the cookie with no problems and it will not lose it util it expires. I would love to find a solution to this problem - any ideas?

compudude,

Believe it or not, I've seen this problem before. I know that IE6 does not like *some* special characters (not sure about the complete list of problematic characters) in the sub domain name portion of the URL such as underscores, etc.

What is the sub domain part of your URL? For example, I've experienced IE dropping and/or mishandling cookies with URLs like this:

https://some_host.somedomain.com

Note the underscore. I know it causes a problem for IE6. As I recall, it was especially a problem with HTTPS URLS. Obviously, URLS should conform to the RFC guidelines.

brob5000....

THANK YOU..
THANK YOU..
THANK YOU..

I have been dealing with this problem for 2 weeks and was focused on p3p privacy report..

When I contact my internal webserver http://some_host.somedomain.com I was getting the blocked cookies and the privacy report issue.. I was searching for the problem in a different technology and finally found my way here when I started looking at a PHP workaround...

I signed up here with this site just to thank you!


THANKS A BUNCH!!!!!!!!!

Cliff

Cliff,

I'm glad I could help. It makes the many frustrating hours that spent trying to troubleshoot the issue seem a little less wasted.

Sincerely,
Ben

First of all, thank you for this thread. It was extremely helpful in diagnosing the issue I was experiencing.

Second I would like to add that this is not unique to PHP (PHPSESSID). Our application is served up by JBOSS, and the associated JSESSIONID was being lost when our application cookie became too large.

Just signed up to say those two things

Thanks for the help!

-
Carlos

Carlos,

You're welcome. I'm glad this thread was able to help. It makes me feel as though my time troubleshooting this issue was not wasted.

Kudos to brob5000 for running the discussion on this thread.

Now my main concern is, why does IE6/IE7 very often, if not always, drop the session information when the browser lies behind a proxy or proxy farm?

For example, a user of my app visits the site from, let's say, a nationwide proxy system from UAE or China.

Upon authenticating the user and setting his session to indicate that he is logged in, the session is immediately broken whenever he navigates on another link from the same website.

I don't think the 20 cookie limit per domain or 4kb size limit per cookie comes into play. Am I missing something here, or does the proxy mangle with the HTTP requests/responses?

(For the meantime, I'll just recommend Firefox to my visitors as a better alternative.)

Cheers to all,
O.J. Tibi