--- /dev/null
+Internet Explorer and SSL
+Luke Ehresman <luke@squirrelmail.org>
+=====================================
+
+I've just spent the last few days trying to track down the now famous bug
+with IE and SSL. The problem lies in the fact that PHP sends some no-cache
+headers whenever a session is started. IE chokes when trying to download a
+file that it can't cache over SSL. We use session management to store many
+things, one being the key to decypher the password.
+
+Once we had figured out that it was sessions in PHP that was causing the
+problem, we tried turning the session management off in the download script
+in Squirrelmail. This introduced another problem for us because we NEEDED
+sessions to decypher the key so we could log into the IMAP server and
+download the attachment.
+
+Next we tried leaving the sessions turned off, but passed the key in through
+a GET parameter. This worked, but is obviously not a very secure way of
+handling things.
+
+Our quest continued for a good solution. Finally, I was browsing through
+the source of PHP, I noticed the 2 headers it was sending were "Pragma" and
+"Cache-Control". I had the crazy idea of defining these again after the
+session had been started, and lo and behold, it worked! Below is the code
+that made this work:
+
+ session_start()
+ header("Pragma: ");
+ header("Cache-Control: cache");
+
+With all the testing I have done, this works, and works very well for all
+browsers.