widget + IE + ssl does not go together

[judleoson]

I try to show this widget with ssl:

index.php?module=Widgetize&action=iframe&moduleToWidgetize=VisitsSummary&actionToWidgetize=getLastVisitsGraph

I get a gray message. same message like if you run piwik.org/demo under ssl.

That happens only in IE. all the other browsers are happy with this.

That is the only issue that holds us from releasing piwik to our users in production.

Can someone help? thanks

[vipsoft]

The swfobject embedding code changed in 0.2.29, but I don't think the URL construction was touched. What Piwik version are you running? What errors do you see in the browser's error console?

[judleoson]

I am using 0.2.28.

I don't see any errors. only the gray thing containing some url.

use IE and go to:  https://piwik.org/demo/index.php?module=CoreHome&action=index&idSite=1&period=day&date=yesterday

you'll see what I see.

I tried to dig in the code to find where this happens and I stopped at line 101 in core/View.php

I felt I am going to deep and that the answer must be outside somewhere, in configuration level or something.

[vipsoft]

The SSL certificate on piwik.org was self-signed and it has expired, so the demo site isn't a valid test.

What's the problem you see on your site?

[judleoson]

same symptoms as in the demo. looks completely the same. we use a valid license of our service (www.triond.com)

when I remove the https. I get the desired graph. with https I get a gray line with this "msg":

 https://p.triond.com/index.php?module=VisitsSummary&action=getLastVisitsGraph&moduleToWidgetize=VisitsSummary&actionToWidgetize=getLastVisitsGraph&idSite=70209&period=day&date=2009

[vipsoft]

While I can't reproduce this on my set-up, it looks like this is a known problem. However, Googling for IE7+https+flash, turns up a mixed bag of solutions/workarounds. I'll research this a bit before I propose a "fix".

[judleoson]

thanks a bunch, I'll research as well.

[vipsoft]

Microsoft's solution is to apply a hotfix or registry setting (BypassSSLNoCacheCheck):

•  http://support.microsoft.com/kb/323308/

[judleoson]

I did some research and I managed to display the graph in IE!

The above link is less relevant for my case because we intend to use piwik within our service. therefore i cannot ask all of our users to do stuff with the registry.

I realized that the problem is the Cache-Control header which sends no-cache and no-store. I tried to force some other headers but it didn't work. Then we realized that there is a session involved which cause php to take over any other headers on the way.

so I added this line: session_cache_limiter("private");

to the very beginning of the code (first line in index.php) just to see that it can solve this issue and finally it worked.

The thing is that I know this is a very barbarian way to do it. There's must be a better way to control the session_cache_limiter so I can choose when to use it.

My question: is there any designated place to determine the Cache-Control? So I can change the Cache-Control only on specific cases and not all the time like I do now?

Thanks

[vipsoft]

The alternative would be just before session_start().

I'm still hoping to find a cleaner fix, but you might want to use session_cache_limiter() more selectively.

if(! in_array($_SERVER['HTTPS'], ['', 'off']) && preg_match('/MSIE/i', $_SERVER('HTTP_USER_AGENT')) && ! preg_match('/Opera/', $_SERVER('HTTP_USER_AGENT')))
{
    session_cache_limiter('private');
}

[vipsoft]

Sorry, I was posting from my iPhone... my array syntax was incorrect; it should be:

in_array($_SERVER['HTTPS'], array('', 'off'))

[vipsoft]

The more I look at this, the kludgier it gets. For example, the https check fails if a non-ssl piwik server goes thru a reverse proxy.

BTW this bug was fixed in IE6 sp2 according to  http://support.microsoft.com/kb/815313/

[vipsoft]

Can you test this on your site with the major browsers?

Index: index.php
===================================================================
--- index.php	(revision 906)
+++ index.php	(working copy)
@@ -40,6 +40,8 @@
 {
 	session_start();
 }
+header("Pragma: ");
+header("Cache-Control: no-store, must-revalidate");
 
 require_once "FrontController.php";
 

[moazebulon]

I permit me to create account and reply to this post because I have a SSL with piwik configuration and searching for solution to my flash pb on ssl I found this thread. I experiment the proposal solution that is : add lines : header("Pragma: "); header("Cache-Control: no-store, must-revalidate"); at the right place in index.php and for me it's ok. So if this reply can help other users I wil be happy to write this. Thanks and excuse the poor english of a french user

[moazebulon]

Replying to moazebulon:

I permit me to create account and reply to this post because I have a SSL with piwik configuration and searching for solution to my flash pb on ssl I found this thread. I experiment the proposal solution that is : add lines :

header("Pragma: ");

header("Cache-Control: no-store, must-revalidate");

at the right place in index.php and for me it's ok. So if this reply can help other users I wil be happy to write this. Thanks and excuse the poor english of a french user

Test to day on IE7 and FX3(with last flash FX pluggin) OK

[matt]

I am not sure about this patch and the potential side effects.

• why an empty pragma directive? is that necessary?
• setting Cache-Control: no-store means that none of the piwik responses will be cached, according to  http RFC : is that what we want? JS and Images wouldn't be affected and it seems they are the only ones that we really need to cache anyway.

Are you confident that there are no performance side effects on the UI?

[vipsoft]

I don't know of any reason to cache any of the dynamic content. Performance can't get any worse because nocache appears to be the prevailing PHP default configuration. For example, these are the cache control headers sent by the Piwik demo site and on my server:

Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache

I manually cleared the Pragma header because, when session.cache_limiter is set to nocache in php.ini, PHP sets the default headers to the above. And reading 14.32 of the spec, the server shouldn't be sending this in the response to begin with.

Removing no-cache from Cache-Control appears to be safe, so long as we keep the Expires header and Cache-Control: must-revalidate. (13.2.1 and 13.2.4 of RFC2616)

I wonder if we should also remove Cache-Control: no-store, if in future we want to make better use of Smarty caching.

[matt]

ok, thanks for clarification. committed in [926] (in view->render rather than in index.php)