Puzzler

OK, a puzzler for you webmaster types (spoiler below).

So I get a call from my a client that two of their people were having trouble logging into the alumni database. I tested these people’s logins in every browser I had handy and they worked fine. No one else was having problems logging in. I went to the job site and sure enough, I couldn’t log in as anyone from two machines, both running IE6. Javascript was enabled. Cookies were enabled. What the heck was going on?

The site uses HTML hosted on a virtual domain at earthlink and database data coming from phpwebhosting.com, all married together in a frameset. Login authentication is handled via PHP sessions.

So why weren’t any logins working from IE6? Give up? This one took quite a while to figure out.

[ … spoiler … ]

First of all, PHP sessions are really just a simplified wrapper for a specialized form of cookie. So start with the realization that cookies aren’t getting planted even though cookies are enabled in the browser.

IE6 has a cookie tolerance slider that defaults to Medium. On the Medium setting,

“Internet Explorer prevents Web sites from storing third-party cookies that do not have a compact privacy policy or that use personally identifiable information without your explicit consent. The browser also prevents Web sites from storing first-party cookies that use personally identifiable information without your implicit consent.”

Compact Privacy Policy:
http://www.microsoft.com/windows/ie/using/howto/privacy/config.asp

Ah. So now I have to find out how to implement a compact privacy policy. Jeezis christ. See also:

http://www.w3.org/P3P/

and

http://news.com.com/2100-1023-268478.html?legacy=cnet

And finally, I find the deployment answer in a PHP forum. This affects me because the site is pulling HTML and PHP/data from two different sources:

“MSIE 6 has an inaccurate definition of third party cookies. If your domain is hosted on one server and your PHP stuff is on another, the IE6 P3P implementation considers any cookies sent from the second machine “third party”. Third party cookies will be blocked automatically in most privacy settings if not accompanied by what MS considers “an appropriate Compact Policy”. In order to make this new piece of tweakable garbage happy I’d suggest you’d par exemple send

header(‘P3P: CP=”NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM”‘);

before sending your cookie from your second machine. This header enables your cookie to survive any privacy setting.

So in the end I went to privacycouncil.com, filled in the wizard, which generated a CPC similar to the one above, and started sending it in the header of auth.php.

What a huge hassle. And I shudder to think how many sites this going to affect. There’s a good intention behind it, but it’s virtually useless, since you can virtually make up the privacy policy (it doesn’t have any necessary bearing on ACTUAL privacy) and meanwhile, it’s going to make a hell of a lot of sites inaccessible.

One Reply to “Puzzler”

Leave a Reply

Your email address will not be published.