It's well-known bug, when IE looses the cookie with session ID when site is placed within frame/iframe on the different domain. But, in certain cases other browsers does loose the session ID too.

I offer the patch to solve the issue.
It shows not so smooth URLs, but do the job.

.htaccess

php_flag session.use_cookies Off
php_flag session.use_trans_sid On

session.inc

function sess_read($key) {
  global $user;

  $p = func_get_args();
  $result = db_query_range("SELECT u.*, s.* FROM {users} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE s.sid = '%s' AND u.status < 3", $key, 0, 1);

  if (!db_num_rows($result)) {
/*
*  this is really dirty patch....... but we need it
*/
    if (preg_match('/[?&]'.session_name().'=([^&$]+)/', $_SERVER['QUERY_STRING'],$m) || $m[1] = $_POST[session_name()]) {
      $result = db_query_range("SELECT u.*, s.* FROM {users} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE s.sid = '%s' AND u.status < 3", $m[1], 0, 1);

    }
    if (!db_num_rows($result)) {
      db_query("INSERT INTO {sessions} (sid, uid, hostname, timestamp) VALUES ('%s', 0, '%s', %d)", $key, $_SERVER["REMOTE_ADDR"], time());
      $result = db_query("SELECT u.* FROM {users} u WHERE u.uid = 0");
    } else {
      $key = $m[1];
      session_id($key);
    }
/*
*  dirty patch end
*/
  }

Comments

Crell’s picture

Status: Active » Closed (won't fix)

1) This is not a real patch. See http://drupal.org/diffandpatch Also, new features only go against HEAD, not 4.6.

2) Drupal used to use a session variable in the URL sometimes as a backup. It annoyed almost everyone. It was deliberately removed for 4.7 because it was ugly, made sites less usable, was a security risk, and could hurt search engine rankings. See http://drupal.org/node/4109

3) That IE is broken with respect to cookies is not something we can necessarily deal with, especially if the fix involves re-breaking the system.

Setting to won't fix.

WingedFox’s picture

> 1) This is not a real patch.
It is not a patch, it's just a wish implemented in real and tested code

> 2) Drupal used to use a session variable in the URL sometimes as a backup. It annoyed almost everyone.
It's annoying when the site placed in the frame does not work with the sessions properly.

> 3) That IE is broken with respect to cookies is not something we can necessarily deal with
Are you working to make really good CMS?

> especially if the fix involves re-breaking the system.
What's there could re-break the system? It's just a peice of code to make system work in unusual situations.
No need to use it all the time, just let peoples to turn it on, if needed.

> made sites less usable,
does not count, when the site in the frame

> was a security risk,
does not count, when the site in the frame

> and could hurt search engine rankings.
it's a fake.

> See http://drupal.org/node/4109
lot's of bla-bla-bla's with a little of the good information.

> Setting to won't fix.
Up to you.