Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Double Set-Cookie in Magento, leading to a login issue for some users

We have a Magento application which is issuing dual Set-Cookie's . Here are the headers:

  HTTP/1.1 200 OK
  Date: Wed, 18 Apr 2012 21:04:28 GMT
  Server: Apache/2.2.3 (CentOS)
  X-Powered-By: PHP/5.2.10
  Set-Cookie: frontend=iti6c00cdm6cc79hfl1pl9pq52; expires=Wed, 18-Apr-2012 22:04:28 GMT; path=/
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
  Pragma: no-cache
  Set-Cookie: frontend=iti6c00cdm6cc79hfl1pl9pq52; expires=Wed, 18-Apr-2012 22:04:28 GMT; path=/; domain=**example.com**
  Connection: close
  Transfer-Encoding: chunked
  Content-Type: text/html; charset=UTF-8

In some circumstances, after logging in the second cookie is set to frontend=deleted . From my reading it appears that two frontend= cookies are not a "problem", this is standard Magento behaviour. From my reading of the spec, the second frontend= cookie will overwrite the first if their scope/spec is the same.

Any ideas where we can start digging in to this problem to see why the second frontend= cookie does not behave like the first?

Magento version is enterprise edition of ver. 1.9.0.0

Related Questions

  • Why does Magento use 2 cookies per session?
  • Magento Cookies Changing Prevent Frontend Login
like image 370
hellomynameisjoel Avatar asked Apr 18 '12 21:04

hellomynameisjoel


1 Answers

This happens when the Session validation checks fail - the cookie will then be cleared with the "deleted" value and a expiration date in the past:

The following information will be checked by Magento for validating a session:

  • The client IP address that is connecting to the server
  • The "Via" HTTP-Header
  • The "X-Forwarded-For" Header
  • The "User-Agent" Header

If one (or more) of these informations changes during the requests for the same Session ID, the session will be Discarted, the Cookie will be cleared in the way as described and the Server will send a Redirect header to the Homepage.

You can change which Information to validate in the Magento Admin-Panel by going to System > Configuration > Web. But you should never turn off all checks since this will allow session hijacking.

like image 101
Axel Avatar answered Sep 26 '22 19:09

Axel