1 Internet Explorer and SSL
2 Luke Ehresman <luke@squirrelmail.org>
3 =====================================
5 I've just spent the last few days trying to track down the now famous bug
6 with IE and SSL. The problem lies in the fact that PHP sends some no-cache
7 headers whenever a session is started. IE chokes when trying to download a
8 file that it can't cache over SSL. We use session management to store many
9 things, one being the key to decypher the password.
11 Once we had figured out that it was sessions in PHP that was causing the
12 problem, we tried turning the session management off in the download script
13 in Squirrelmail. This introduced another problem for us because we NEEDED
14 sessions to decypher the key so we could log into the IMAP server and
15 download the attachment.
17 Next we tried leaving the sessions turned off, but passed the key in through
18 a GET parameter. This worked, but is obviously not a very secure way of
21 Our quest continued for a good solution. Finally, I was browsing through
22 the source of PHP, I noticed the 2 headers it was sending were "Pragma" and
23 "Cache-Control". I had the crazy idea of defining these again after the
24 session had been started, and lo and behold, it worked! Below is the code
29 header("Cache-Control: cache");
31 With all the testing I have done, this works, and works very well for all
35 This was submitted by Marcin Jessa <yazzy@yazzy.org>
36 ====================================================
37 Reading INSTALL file of SqWebMail i found following note:
39 Tweak the web server for MSIE
40 The MSIE browser has a number of bugs in its HTTP/1.1 implementation,
41 at least as of MSIE 4.x and 5.x. You must configure your web server to
42 use HTTP/1.0 when talking to any MSIE browser (at least until MSIE
43 gets fixed). The problem has to do with downloading attachments.
44 Apparently, MSIE forgets how MIME works, when it uses HTTP/1.1. For
45 the Apache server, insert the following directive in httpd.conf:
47 BrowserMatch "MSIE" nokeepalive downgrade-1.0 force-response-1.0
49 Recent versions of Apache already have a similar directive for a
50 specific version of MSIE, MSIE 4.0b2. Just replace it with a
51 browsermatch for any MSIE version.