Cookie Login Problems

Anon

I've set up a site that uses cookies/MySQL for login authentication and session management. Most users have no problem logging in and everything seems to work fine. However, so far - two of the users can log in fine from home, but when they try from work or school they can't log in. I set up some debugging code and noticed that the username and password cookies are not getting set.

Where should I look? Could a proxy or some sort of cache at their work/school cause this problem? Is there something else that could cause the problem? Can I force it to work somehow?

Any help would be greatly appreciated.

khaine

It could be that the browser they are using at work/school is bloking cookies. Or it could even be a firewall or other system blocking the cookie. Some systems managers do set the system to disallow cookies from being set. there is nothing you can do about this. Its in the hands on the system manager at the clients end.

Anon

Well, let me give a little more detail. When a user logs in and selects to autologin until they specifically log out, their session id is set in a cookie and stored in a database table. Then a redirect header is sent and the PHP script exits (with exit😉 which should set the cookie. Then, the new page checks to see if the session id cookie is set. If it is, it compares it to the session ids in the database to verify if they are currently logged in. If not, they are still a guest user.

I know that cookies ARE getting set for the user - he sent me his cookie so I could troubleshoot. His cookie did have the session id but for some reason the code didn't see it. Normally, I would think I had a bug in the code, but for the rest of my members it works fine. Just two users have this problem and it is not with their individual member account setups because they can both log in fine from home.

Any more ideas? Can it still be some sort of caching/firewall issue?

Thanks.

khaine

It could be a fire wall blocking the return of the cookie. I have had a simular problem. I solved it by using a flag on the database that says logged in or not and the IP address.

Someone else may have a better idea. Sorry I couldent help.

Anon

Well, the IP trick would sort-of work, but if someone else logged in from that network (with the same IP) they would basically hijack the session also - wouldn't they? How would you get around that?

Thanks.

khaine

I forgot to mention. I also add the certificate hash to the key. From the ssl certificate that is issued to each person. Probably not much use to you unless you use SSL.