New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Session variables are not saved in Internet Explorer 11 #2962

Closed
Marwelln opened this Issue Dec 16, 2013 · 53 comments

Comments

Projects
None yet
@Marwelln
Contributor

Marwelln commented Dec 16, 2013

First request (Chrome):

Session::put('foo', 'bar');
var_dump(Session::all());

Output:

array (size=4)
  '_token' => string '...' (length=40)
  'flash' => 
    array (size=2)
      'old' => 
        array (size=0)
          empty
      'new' => 
        array (size=0)
          empty
  'foo' => string 'bar' (length=3)

Second request:

//Session::put('foo', 'bar');
var_dump(Session::all());

Output: Same as before


First request (Internet Explorer):

Session::put('foo', 'bar');
var_dump(Session::all());

Output:

array (size=2)
  '_token' => string '...' (length=40)
  'foo' => string 'bar' (length=3)

Second request (Internet Explorer):

//Session::put('foo', 'bar');
var_dump(Session::all());

Output:

array (size=1)
  '_token' => string '...' (length=40)

As you can see, IE is not adding the flash array on the first request nor saving foo to the second request. Why? Cookies works fine. Session doesn't.

I'm using the latest version of Laravel 4.1.

@taylorotwell

This comment has been minimized.

Member

taylorotwell commented Dec 16, 2013

Are you sure that var_dump isn't keeping your cookies from being set?

@Marwelln

This comment has been minimized.

Contributor

Marwelln commented Dec 19, 2013

The problem is, every time I refresh the page a new session is started (at least a new file in app/storage/session is created). This only happens in Internet Explorer (two different versions on different machines). Chrome and Firefox is fine and works as usual.

This is on a fresh installation of Laravel 4.1 with no changes made to the session configuration file.

@searsaw

This comment has been minimized.

searsaw commented Dec 23, 2013

I also noticed IE11 breaks the csrf filter. I keep getting a Illuminate\Session\TokenMismatchException

@Marwelln

This comment has been minimized.

Contributor

Marwelln commented Dec 23, 2013

I have found out that my issue must have something to do with a server configuration. If i use artisan serve or another server IE can use session without problem. This is something that didn't exists in Laravel 4.0 tho.

@searsaw

This comment has been minimized.

searsaw commented Dec 23, 2013

I would love to know what server config I could change to prevent this.

@Marwelln

This comment has been minimized.

Contributor

Marwelln commented Dec 30, 2013

My problem was that my Virtualbox server used a different time then my Host. It works now when I synced the time on the server.

@benjaminkohl

This comment has been minimized.

Contributor

benjaminkohl commented Jan 3, 2014

I upgraded a Laravel 4.0 site to 4.1 and I am getting the token mismatch exception. I put a tweet out to see if anyone else had run into this issue but didn't get a response. This thread is the closest thing I've seen to the problem I am having except I am not using cookies or IE11.

@sergio-avila

This comment has been minimized.

sergio-avila commented Feb 1, 2014

I have the same problem with IE 11 (form POST Data _token = WpyQ0ZyUQEtGRHU4TSjoYE4d0uufKEFuEJOk294v)
Session token _sf2_attributes Array ([_token] => X1eouUPHidEk0NOQ95lmcWA1eDyFLaQljpjBasAl)

@QaiserAli

This comment has been minimized.

QaiserAli commented Feb 21, 2014

Hi,

I have the same issue with IE 10 and it works well in other browsers. I think this is something happening with Laravel 4.1:-)

Thanks

@jeroendesloovere

This comment has been minimized.

jeroendesloovere commented Apr 18, 2014

I have the same problem on a website not build with Laravel. IE sucks

@ghost

This comment has been minimized.

ghost commented Apr 23, 2014

I have the same issue. When using Firefox, Chrome or Safari the session id remains the same. When I try in IE 11, every pageview has another session id.. I tried with file, cookie and database session drivers.

@ghost

This comment has been minimized.

ghost commented Apr 24, 2014

I fixed it by changing this parameter in the app/session.php
'expire_on_close' => false,
to
'expire_on_close' => true,

Odd..

@tmountjr

This comment has been minimized.

tmountjr commented May 9, 2014

I'm having this same problem on all versions of IE (8-11) and not any other browser...but my app/session.php file already has 'expire_on_close' set to true. Changing it to false didn't help the problem.

@stormsson

This comment has been minimized.

stormsson commented Jul 18, 2014

Hello, is this issue solved ? because i seem to have the same problem with ie 9 too

@tmountjr

This comment has been minimized.

tmountjr commented Jul 18, 2014

I doubt my solution applies to a lot of people, but in our case we were using an underscore in the subdomain name (some_subdomain.domain.url), which is technically not allowed in some spec (HTML? working from memory here) but IE is the only browser to honor that restriction, and it does so by not allowing cookies to be stored from those subdomains. No cookies = no Laravel session = things like Input::flash and Session::flash don't work. We renamed the subdomain to some-subdomain.domain.url and everything magically started working.

@joshuapinter

This comment has been minimized.

joshuapinter commented Aug 4, 2014

I'm also having an issue with, what appears to be, an IE 11 CSRF issue. Not doing anything fancy and IE11 produces a CSRF warning on Rails. Although, I can't seem to reproduce this in BrowserStack so I'm hooped for finding a resolution.

@miguelgarcia7

This comment has been minimized.

miguelgarcia7 commented Aug 11, 2014

I was only able to reproduce this issue in the virtual machine running windows.
On actual laptops and desktops I didn't get this error. The countless hours that IE takes from all developers is insane.

@briedis

This comment has been minimized.

briedis commented Aug 22, 2014

Same problem confirmed and possible fault found.

My situation is that I show my page in a iframe on a different domain.
I did some debugging, and it seems that IE (and Safari, probably) doesn't pass cookies to iframe, so a new session is made each time.

It looks like the classic IE/Safari Iframe cookie problem.

Can others affected with this problem confirm this, that cookies aren't passed?

@briedis

This comment has been minimized.

briedis commented Aug 22, 2014

Possible fix for IE iframe cookie bug:

App::after(function (Illuminate\Http\Request $request, \Symfony\Component\HttpFoundation\Response $response){
  $response->header('P3P', 'CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"');
});
@joshuapinter

This comment has been minimized.

joshuapinter commented Aug 22, 2014

@briedis The iFrame might be the issue I'm dealing with as well, as the customer is connecting through a Citrix environment. I don't know enough about Citrix or their setup to know for sure though.

If I see this pop up again, I'll give your solution a go.

Cheers.

@lchogan

This comment has been minimized.

lchogan commented Oct 13, 2014

I had a similar problem in an iframe. The solution briedis posted seems to solve it. Thanks so much.

@ddno

This comment has been minimized.

ddno commented Nov 12, 2014

briedis solution worked for me too. Thank you very much.

@philsown

This comment has been minimized.

philsown commented Dec 4, 2014

A cookie would never be sent to a different domain per HTTP, and a session on one server would not be present on a different server. I'm wondering if everyone in this thread is having this problem in an iframe, or if there is an example that is not using an iframe.

@littlehoughton

This comment has been minimized.

littlehoughton commented Mar 10, 2015

i am using Laravel 4.0 and my app is working fine in all other browsers but in IE is not working i am not able to sign in .. no errors showing ....and i would like to share one more thing in some machines its also works in IE but its not working in every system .....i am stuck badly ....

@sbarre

This comment has been minimized.

sbarre commented May 5, 2015

A quick note for anyone who finds this and implements @briedis 's idea:

In L5 you should do with this a middleware, but also importantly you should make sure you exclude responses that are redirects, otherwise it will throw an error!

    public function handle($request, Closure $next)
    {

        $response = $next($request);

        if (last(explode('\\',get_class($response))) != 'RedirectResponse') {
            $response->header('P3P', 'CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"');
        }

        return $response;
    }
@aka-darth

This comment has been minimized.

aka-darth commented Jun 2, 2015

I have same problem in node.js.. IE sucks

@avanderbergh

This comment has been minimized.

avanderbergh commented Oct 18, 2015

Thanks for the update @sbarre

Why would it throw an error on redirect responses? I need to set that header on a redirect response as my app is called from a parent app in an iframe and authentication is done with SAML.

I have tried implementing that Middleware on all requests and don't seem to get any errors on redirect responses...? Just don't want to run into any unforeseen problems later!

@edgar-orozco

This comment has been minimized.

edgar-orozco commented Nov 20, 2015

I have the same problem, in my case it turns out IE silently drops cookies if the server time is in the past respect to the time in the client machine...
The time in the server was OK, the time in the client not...

I think the better way to solve this issue is drop IE of this planet.

@jeroendesloovere

This comment has been minimized.

jeroendesloovere commented Nov 20, 2015

IE sucks

@robincsamuel

This comment has been minimized.

robincsamuel commented Mar 7, 2016

Thanks @briedis. That solved my problem, and explained it here for beginners
https://robinz.in/csrf-token-session-error-with-laravel-on-ie-edge/

@polyma

This comment has been minimized.

polyma commented Jul 21, 2016

@kryap 's solution worked for me. Not ideal as I ideally wouldn't like the user to have their session be restarted on browser shutdown and also that I have no idea why it works!

@robincsamuel

This comment has been minimized.

robincsamuel commented Jul 21, 2016

@polyma @briedis's solutions seems perfect!

@divostar

This comment has been minimized.

divostar commented Aug 16, 2016

IE sucks. My app is working all on major browsers except IE. It is a laravel 5.1.x app. I am getting the token mismatch exception upon login. What could be the issue. JavaScript refresh not working but same app is working well on other browsers. Even edge has issues. An authenticated user is able to view home page even though I've middle ware setup to redirect a logged in user to his profile. What can I do to fix this issue?

@robincsamuel

This comment has been minimized.

robincsamuel commented Aug 16, 2016

@divostar I had the same issue, and i got the answer from this thread. I tried to put it together on my blog.
https://robinz.in/csrf-token-session-error-with-laravel-on-ie-edge/

@divostar

This comment has been minimized.

divostar commented Aug 17, 2016

Hi @robincsamuel, I have read your blog and implemented your idea but I keep getting the TokenMismatch error on IE/Edge

@divostar

This comment has been minimized.

divostar commented Aug 17, 2016

Here is my implementation. Why isn't it working:

<?php

namespace App\Http\Middleware;

use Closure;

class IeFix
{
    /**
     * Handle an incoming request. Fix session error with Laravel on IE/Edge
     *
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle($request, Closure $next)
    {
        $response = $next($request);
        $response->header('P3P', 'CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"');
        return $response;
    }
}
class Kernel extends HttpKernel
{
    /**
     * The application's global HTTP middleware stack.
     *
     * @var array
     */
    protected $middleware = [
        \Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode::class,
        \App\Http\Middleware\EncryptCookies::class,
        \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
        \Illuminate\Session\Middleware\StartSession::class,
        \Illuminate\View\Middleware\ShareErrorsFromSession::class,
        \App\Http\Middleware\VerifyCsrfToken::class,
        \App\Http\Middleware\SetApplicationLanguage::class,
        \App\Http\Middleware\IeFix::class,
    ];
@robincsamuel

This comment has been minimized.

robincsamuel commented Aug 17, 2016

@divostar seems exactly the same and it worked for me.

@EmilMoe

This comment has been minimized.

EmilMoe commented Oct 27, 2016

I tried this too, didn't help on Edge.

@sblawrie

This comment has been minimized.

Contributor

sblawrie commented Jan 6, 2017

Authentication (and the storing of sessions) wasn't working for me in my Laravel 4.2 app on ie11, but working in other browsers. The problem was that the domain key in the session.php config file was set to null. If you only have one domain, try setting this value to that domain.

Since my app has multiple domains, I just set that value dynamically in the App::before() filter with:
Config::set('session.domain', <insert domain>);, and it worked. Make sure the value is set before any redirects.

One other thing - you should simultaneously change the cookie value in the session.php file to something else, too. Otherwise ie11 still tries to use the old session cookies.

Hopefully this solves someone else's problem, too.

Edited 1/12/2017: Ran into the problem again on ie11 on Windows 10. Still looking for fix.

@sblawrie

This comment has been minimized.

Contributor

sblawrie commented Jan 13, 2017

@littlehoughton Were you ever able to solve your problem? I'm having the same issue.

@lskupnjak

This comment has been minimized.

lskupnjak commented Mar 15, 2017

Looks like this could be the source of the problem - https://support.microsoft.com/en-us/help/3071338/internet-explorer-11-adds-support-for-http-strict-transport-security-standard. I'm still looking for a workaround.

@EmilMoe

This comment has been minimized.

EmilMoe commented Mar 15, 2017

My issue is related to SAML. Have a look here http://stackoverflow.com/questions/34091031/saml-assertion-is-being-replayed-in-internet-explorer-11-only

It's also only IE11 and Edge related - and only sometimes. But since it works sometimes I don't feel certain your theory is valid @lskupnjak - no matter how much I wish there was a solution found yet.

@lskupnjak

This comment has been minimized.

lskupnjak commented Mar 15, 2017

@EmilMoe We have a similar issue reported by the client, he reported that on each screen he has a different "login" status. We found out that PHPSESSID cookie is different on every page and that brought me to this Laravel issue. When HSTS is turned off, the issue doesn't appear. So maybe that could help resolving this issue. Btw our site isn't built on Laravel.

@EmilMoe

This comment has been minimized.

EmilMoe commented Mar 15, 2017

Yes maybe. My error might differ too, I feel very lost on this on, @lskupnjak

https://laracasts.com/discuss/channels/laravel/session-lost-after-login

-- Edit:
It wasn't that issue for me.

My issue seems to be this: http://stackoverflow.com/a/40814059/6102188

@blogui91

This comment has been minimized.

blogui91 commented Sep 14, 2017

I'm working in L5.4, I added the middleware written by @divostar (in comments above) and it worked 👏

@divostar

This comment has been minimized.

divostar commented Sep 15, 2017

Cool @blogui91

@SturmB

This comment has been minimized.

SturmB commented Oct 26, 2017

I'm getting the TokenMismatchException in IE11 with L5.5, even after trying the fix proposed by @briedis, @robincsamuel, and @divostar. What now?

@lefrancois

This comment has been minimized.

lefrancois commented Mar 20, 2018

@SturmB Same here, you found a solution?

@SturmB

This comment has been minimized.

SturmB commented Mar 20, 2018

@lefrancois It's been five months, so I'm not sure if this is the solution to the problem, or if it's a solution to a different problem, but here's what I did:

Because I was using Homestead on Parallels (on a Mac), the date/time of the virtual machine was significantly different than that of the host machine. For some reason, this only seemed to cause an issue with IE, not with other browsers. After manually triggering an update to the date/time on the VM, the problem disappeared.

I still don't know why the VM (Homestead) isn't set up to automatically re-sync its date/time once per day or some such. I also still don't know how to set it up to do so. Thus, I must trigger the update manually every so often, like every week or so.

I hope this helps and that I am remembering the correct problem to which this solution applies. Cheers!

@lefrancois

This comment has been minimized.

lefrancois commented Mar 20, 2018

@SturmB Thank you for your informations!! That is what I found out right now. It has something to do with the time difference, I am still trying to find a solution without manually re-syncing.

@lasseeee

This comment has been minimized.

lasseeee commented Sep 9, 2018

I fixed this by removing the underscores from the session name:

    /*
    |--------------------------------------------------------------------------
    | Session Cookie Name
    |--------------------------------------------------------------------------
    |
    | Here you may change the name of the cookie used to identify a session
    | instance by ID. The name specified here will get used every time a
    | new session cookie is created by the framework for every driver.
    |
    */

    'cookie' => env(
        'SESSION_COOKIE',
        str_slug(env('APP_NAME', 'laravel'), '').'session'
    ),
@frans-beech-it

This comment has been minimized.

frans-beech-it commented Sep 11, 2018

@lasseal are your sure the issue is the _ in the session name? Isn't your issue now (temporary) solved because there is a new session name?

In my test on a system that had session issues I saw it had 2 laravel_session cookies with the same name. And I couldn't remove them somehow. Not sure why IE didn't want to remove them....

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment