After a succesful login some users got the gatekeeper message "You need to be logged in to view this page". So no wrong username or password.
After days of digging and logging this resulted in the following conclusion.
On some browsers (mostly IE8 in our case) the session cookie was too late (or not at all) updated on the client side. When arriving on the page (after a succesfull login) the session id of Elgg is not matching the session id in the cookie and therefore you are not logged in.
This behaviour is caused by the session_regenerate_id function in the login function. You can read about these issues in the comments on this function ([http://php.net/manual/en/function.session-regenerate-id.php]).
we do not know for sure if only IE8 users are affected. We did not do extensive logging on browsers related to this issue. "Mostly IE8" is based on internet resources we found where other people experiencing the same issue report it as related to IE8.
we ruled out fingerprint issues as we already disabled that.
Ok i will try to enable some logging to track down the issues.
I've seen the situation of IE8 and IE9 going in and out of compatibility mode, but could not relate it to this particular problem. As user_agent is not related to the session (other than the fingerprint) as far as i know.
All ideas still do not lead to a constructive solution for this "bug";
We're basically no where on this issue. We have had no reports outside of this ticket. We don't know what versions of IE are affected by this and it may not even be repeatable. Not sure what to do with this ticket.