| 1 | Internet Explorer and SSL |
| 2 | Luke Ehresman <luke@squirrelmail.org> |
| 3 | ===================================== |
| 4 | |
| 5 | I've just spent the last few days trying to track down the now famous bug |
| 6 | with IE and SSL. The problem lies in the fact that PHP sends some no-cache |
| 7 | headers whenever a session is started. IE chokes when trying to download a |
| 8 | file that it can't cache over SSL. We use session management to store many |
| 9 | things, one being the key to decypher the password. |
| 10 | |
| 11 | Once we had figured out that it was sessions in PHP that was causing the |
| 12 | problem, we tried turning the session management off in the download script |
| 13 | in SquirrelMail. This introduced another problem for us because we NEEDED |
| 14 | sessions to decypher the key so we could log into the IMAP server and |
| 15 | download the attachment. |
| 16 | |
| 17 | Next we tried leaving the sessions turned off, but passed the key in through |
| 18 | a GET parameter. This worked, but is obviously not a very secure way of |
| 19 | handling things. |
| 20 | |
| 21 | Our quest continued for a good solution. Finally, I was browsing through |
| 22 | the source of PHP, I noticed the 2 headers it was sending were "Pragma" and |
| 23 | "Cache-Control". I had the crazy idea of defining these again after the |
| 24 | session had been started, and lo and behold, it worked! Below is the code |
| 25 | that made this work: |
| 26 | |
| 27 | session_start() |
| 28 | header("Pragma: "); |
| 29 | header("Cache-Control: cache"); |
| 30 | |
| 31 | With all the testing I have done, this works, and works very well for all |
| 32 | browsers. |
| 33 | |
| 34 | |
| 35 | This was submitted by Marcin Jessa <yazzy@yazzy.org> |
| 36 | ==================================================== |
| 37 | Reading INSTALL file of SqWebMail i found following note: |
| 38 | |
| 39 | Tweak the web server for MSIE |
| 40 | The MSIE browser has a number of bugs in its HTTP/1.1 implementation, |
| 41 | at least as of MSIE 4.x and 5.x. You must configure your web server to |
| 42 | use HTTP/1.0 when talking to any MSIE browser (at least until MSIE |
| 43 | gets fixed). The problem has to do with downloading attachments. |
| 44 | Apparently, MSIE forgets how MIME works, when it uses HTTP/1.1. For |
| 45 | the Apache server, insert the following directive in httpd.conf: |
| 46 | |
| 47 | BrowserMatch "MSIE" nokeepalive downgrade-1.0 force-response-1.0 |
| 48 | |
| 49 | Recent versions of Apache already have a similar directive for a |
| 50 | specific version of MSIE, MSIE 4.0b2. Just replace it with a |
| 51 | browsermatch for any MSIE version. |