Not Secure and Deleting Cookies?

Forum Moderators: phranque

Message Too Old, No Replies

Not Secure and Deleting Cookies?

strange problem

txbakers

1:00 pm on Sep 20, 2005 (gmt 0)

One of my customers is having a very strange problem with her PC and I can't seem to identify it.

My site runs in HTTPS from the home page onwards. When she loads the home page, she gets a message "some items are not secure, do you want to display the non-secure items?" Yet no one else gets that message, and I can't find anything on that page that resides in a non-secure directory.

When she clicks "no", everything still shows up.

Then, when she logs in, she logs in successfully to the "Welcome" page. The login screen sets Session variables, which display correctly on the welcome screen. BUT when she refreshes the welcome screen, she becomes EOF as the cookie has been deleted.

We walked through all kinds of scenarios, but nothing helped her.

I suspect a trojan or other kind of spyware, but I'm not sure.

Any ideas from out here in WebmasterWorld land?

Thanks.

coopster

1:34 pm on Sep 20, 2005 (gmt 0)

The non-secure items are more than likely image links (http://example.com/images/myimage.png).

As far as the cookie goes it could be any number of things. Has she checked her browser settings, antivirus software settings/updates, firewall settings/updates?

txbakers

5:14 pm on Sep 20, 2005 (gmt 0)

Yep to all of the firewall,cookies,virus stuff (though there could be more out there.)

And I've scoured the code for any http links, but there aren't any. No one else I know gets that message about insecure items. Which leads me to suspect some type of trojan has coopted her browser dlls.

coopster

6:27 pm on Sep 20, 2005 (gmt 0)

Hmmm. Longshot, but have you asked her to try a different browser? Have her download Fx and hit the site to see if she gets the same issues. She could setup Fx to ask for cookies each time and easily view page information that may provide better details (assuming the issue continues in the FireFox browser as well).

Can't think of another route to test right now ...

rocknbil

8:00 pm on Sep 20, 2005 (gmt 0)

Are you using flash?

Pluginspage="http://www.macromedia.com . . . .
will do it too.

Pluginspage="https://www.macromedia.com . . . .

The problem is you need to be able to duplicate it, or get her on the phone and do a trial-and-error delete: delete a portion of your page code, have her refresh, and on and on until you identify the culprit.

txbakers

8:19 pm on Sep 20, 2005 (gmt 0)

Thanks all. We were on the phone for about an hour, and we left it with her downloading FireFox.

We tried all kinds of security options in IE, even the CTRL-Refresh.

No flash on the site, no external links to any plug ins. I don't usually trust them for that reason.

coopster

9:42 pm on Sep 22, 2005 (gmt 0)

I'm interested to know what your findings are, did she have a chance to test FireFox against the site yet?

txbakers

11:55 pm on Sep 22, 2005 (gmt 0)

One other use with the same problem downloaded FF and it worked perfectly.

I'm still baffled at what could corrupt IE to force it to delete Session cookies.

The odd thing is that she could indeed login and set the cookie. But it wouldn't keep it from screen to screen.

coopster

2:23 pm on Sep 23, 2005 (gmt 0)

I have run into the same problem with MS IE before. I always have my browsers set to ask me before accepting any cookies. MSIE will on the first visit to the site and I will accept the cookie. However, on my next navigational step I won't be prompted for a cookie and the site page will not be returned. However, if check the box to always allow cookies from that site on the very first cookie request, the MSIE browser acts like a normal browser and I am free to navigate the site under a session umbrella successfully.

I searched for service packs, issues, etc. but never did come to any sort of conclusion on what is causing MSIE to misbehave. Workaround was to accept all cookies for the site by checking the box on the first visit.