[Phplib-users] Re: Templates/SSL/IE5 Problem

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Greetings,

I never received any response when I posted this back in January but, it 
came up again and I finally figured out what was wrong.  More specifically, 
I figured out how to compensate for this particular aspect of IE being 
broken.  This is not a phplib-specific issue but, the problem didn't show 
up for me until I was using phplib with SSL and templates.  I thought I 
would share the solution for posterity.

Basically, IE doesn't behave correctly (i.e. standards-compliantly) in 
conducting GET and POST operations with SSL servers with keepalive enabled:

    http://www.quikstore.com/download/ssl_timeout_problem/ssl_problem.txt

Setting the KeepAliveTimeout to 65 seconds and MaxKeepAliveSessions to 300 
in the Apache httpd.conf file seems to have resolved the issue for at least 
some of the test cases.

It may also be helpful to force MSIE clients to fallback to using SSL2, 
rather than permitting them to use SSL3.  This can be done with a variation 
of the fixes described on this page (the SetEnvIf and SSLCipherSuite items):

    http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#io-ie

I hope that helps someone else sometime.

Andrew Crawford
An...@Ev...

On 11 Jan 2002 at 00:32:03 -0700, I wrote:
>I wrote a PHP script (standalone, no phplib components) to accept some 
>data input through a secure (SSL) web form, present that information for 
>review, and then process it.  It works great.
>
>I modified the script so that it uses phplib templates (from phplib 
>version 7.2d) for all of the output (the original form, the review page, 
>and the final results page.)  It works great ... except in IE 5 for Windows.
>
>In IE 5, the initial form loads fine.  I fill in some data and press the 
>submit button.  IE pops up a dialogue that says:
>
>>You are about to leave a secure internet connection.  It will be possible 
>>for others to view the information you send. [Yes] [No] [More Info]
>
>This message should not appear.  The connection is secure (well, as secure 
>as it gets for web transactions - I know Bruce Schnier would have 
>comments.)  I changed all of the relative references in my template to 
>absolute references, including the "https://".  I changed all the graphics 
>in the page and even the reference for the style sheet.  So, I see nothing 
>in the page that should cause it to retrieve anything via anything but https.
>
>If I hit "Yes" in response to the dialogue, I get a "this page cannot be 
>displayed" error page, culminating in this error message:
>
>>Cannot find server or DNS Error
>
>I can then hit refresh and get back to the blank form with all input lost.
>
>If I hit "No" in response to the pop-up dialogue, it returns to the 
>populated form and lets me try again.
>
>Either way, on the second try, there is no pop-up dialogue and the script 
>proceeds as it should (as it does in all other browsers I have tested, 
>including IE 5 for MacOS.)  When submitting the okay for the review, the 
>same thing happens.
>
>The problem disappears when accessing the same form with a regular http 
>connection.  So, this appears to be a problematic interaction among IE 5, 
>SSL, and phplib templates.
>
>I loathe IE for always being part of problems like this but, it is in such 
>widespread use, I have to support it.  Anyone have any guesses about what 
>might be causing this or how I can fix it?
>
>This is my first foray into using phplib templates (though I have been 
>using phplib for other things for quite some time) so, this could easily 
>be a known issue or a stupid user problem.  I will be hesitant to use 
>phplib templates in other projects until I can figure out what is wrong 
>here.  So, any insight would be appreciated.
>
>BTW, I notice that the initial comments block in template.inc appears to 
>contain the wrong description:
>
>>/*
>>  * Session Management for PHP3
>>  *
>>  * (C) Copyright 1999-2000 NetUSE GmbH
>>  *                    Kristian Koehntopp
>>  *
>>  * $Id: template.inc,v 1.5 2000/07/12 18:22:35 kk Exp $
>>  *
>>  */
>
>Shouldn't it be "Templates for PHP" or something rather than "Session 
>Management?"
>
>Thank you for any suggestions you can render.