Exit Outlook Web Access...destroys SESSION values for MY app! (open in separate tab)

Joseph_Sliker

Is this something any of you have encountered/solved? When I have a user log in to one of the online sites/form pages I created (I have the login script look up a bunch of related user info and dump it into a $SESSION: (ie. $SESSION[USERSTUFF]) so that will be available to use in hidden form variables (ie. to credit them for data they contribute, etc.). BUT, here's the problem: my organization uses Outlook Web Access: If the user is in OWA (in a separate browser tab or window) and is also using one of my data-submit forms, if they exit OWA before they submit data from my form, the background $_SESSION[USERSTUFF] appears to be emptied/lost and the record that is saved lacks the required facts usually taken from there.

I have never done anything fancy like attempting to set cookies on user's machines (due to my limited knowledge of what that might do to their machine and/or what sort of interference it could encounter from security software).

Any comments/suggestions about how to insulate MY $_SESSION[USERSTUFF] from whatever OWA destroys upon exit?

bradgrafelman

Joseph Sliker;11023637 wrote:
I have the login script look up a bunch of related user info and dump it into a $SESSION: (ie. $SESSION[USERSTUFF]) so that will be available to use in hidden form variables

That seems rather silly. Why spit out some data in a hidden element that the client has to spit back at you despite the fact that you'll already have the data in the session?

Joseph Sliker;11023637 wrote:
I have never done anything fancy like attempting to set cookies on user's machines (due to my limited knowledge of what that might do to their machine and/or what sort of interference it could encounter from security software).

Oh, so you aren't using cookies to propagate the PHP session ID? In other words, you're either including the SID in a form element or in the query string for each request?

I only ask because the passing of the SID is a pretty vital (and arguably one of the most difficult) steps in getting PHP sessions to function. Thus, the exact method(s) you employ to do this are likely relevant for us to understand what's happening.

Joseph Sliker;11023637 wrote:
Any comments/suggestions about how to insulate MY $_SESSION[USERSTUFF] from whatever OWA destroys upon exit?

Well first we'd have to know how the SID is getting passed for PHP sessions (sound familiar? :p). If it's via cookie, then my first thought would be to look at the HTTP headers OWA sends when you attempt to log out. That would tell you exactly which cookie(s) it is attempting to modify or destroy. If it's sharing the same name as your PHP cookie, then you'll probably want to rename the latter.

If it doesn't appear to have any direct correlation, then I'd start examining the HTTP headers your browser and the server exchange between a request where the session works and the next request where it doesn't.

Joseph_Sliker

Thank you very much for that thoughtful reply: the content has provoked an "Aha" moment. I am going to get a lot more out of this than I anticipated...in spite of the fact that I actually mis-diagnosed the problem with the application at hand (I messed up, and the INSERT statement was not coded correctly to include the session facts that it turns our WERE still available in a lot of cases). However, the original problem as stated DOES crop up from time to time on my site and the things you have given me to think about may help me improve my basic design infrastructure on new projects.

I will probably be leaving this postion in the near future and I have no time to clean out the Augean stables of my past 12 years of coding some of my site's applications may still depend upon.

In addtion to your response, I also found the following post elsewhere that may be a useful solution to someone else who finds this thread.

http://forums.msexchange.org/m_1800563917/mpage_1/key_/tm.htm#1800563917