|
@@ -0,0 +1,32 @@
|
|
|
|
|
+Internet Explorer and SSL
|
|
|
|
|
+Luke Ehresman <luke@squirrelmail.org>
|
|
|
|
|
+=====================================
|
|
|
|
|
+
|
|
|
|
|
+I've just spent the last few days trying to track down the now famous bug
|
|
|
|
|
+with IE and SSL. The problem lies in the fact that PHP sends some no-cache
|
|
|
|
|
+headers whenever a session is started. IE chokes when trying to download a
|
|
|
|
|
+file that it can't cache over SSL. We use session management to store many
|
|
|
|
|
+things, one being the key to decypher the password.
|
|
|
|
|
+
|
|
|
|
|
+Once we had figured out that it was sessions in PHP that was causing the
|
|
|
|
|
+problem, we tried turning the session management off in the download script
|
|
|
|
|
+in Squirrelmail. This introduced another problem for us because we NEEDED
|
|
|
|
|
+sessions to decypher the key so we could log into the IMAP server and
|
|
|
|
|
+download the attachment.
|
|
|
|
|
+
|
|
|
|
|
+Next we tried leaving the sessions turned off, but passed the key in through
|
|
|
|
|
+a GET parameter. This worked, but is obviously not a very secure way of
|
|
|
|
|
+handling things.
|
|
|
|
|
+
|
|
|
|
|
+Our quest continued for a good solution. Finally, I was browsing through
|
|
|
|
|
+the source of PHP, I noticed the 2 headers it was sending were "Pragma" and
|
|
|
|
|
+"Cache-Control". I had the crazy idea of defining these again after the
|
|
|
|
|
+session had been started, and lo and behold, it worked! Below is the code
|
|
|
|
|
+that made this work:
|
|
|
|
|
+
|
|
|
|
|
+ session_start()
|
|
|
|
|
+ header("Pragma: ");
|
|
|
|
|
+ header("Cache-Control: cache");
|
|
|
|
|
+
|
|
|
|
|
+With all the testing I have done, this works, and works very well for all
|
|
|
|
|
+browsers.
|
Luke Ehresman