Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#550 closed Bug (fixed)

widget + IE + ssl does not go together

Reported by: judleoson Owned by:
Priority: major Milestone: RobotRock
Component: Core Keywords: SSL, IE, widget
Cc: Sensitive:

Description

I try to show this widget with ssl:

index.php?module=Widgetize&action=iframe&moduleToWidgetize=VisitsSummary&actionToWidgetize=getLastVisitsGraph

I get a gray message. same message like if you run piwik.org/demo under ssl.

That happens only in IE. all the other browsers are happy with this.

That is the only issue that holds us from releasing piwik to our users in production.

Can someone help? thanks

Change History (21)

comment:1 Changed 5 years ago by vipsoft (robocoder)

The swfobject embedding code changed in 0.2.29, but I don't think the URL construction was touched. What Piwik version are you running? What errors do you see in the browser's error console?

comment:2 Changed 5 years ago by judleoson

I am using 0.2.28.

I don't see any errors. only the gray thing containing some url.

use IE and go to:
https://piwik.org/demo/index.php?module=CoreHome&action=index&idSite=1&period=day&date=yesterday

you'll see what I see.

I tried to dig in the code to find where this happens and I stopped at line 101 in core/View.php

I felt I am going to deep and that the answer must be outside somewhere, in configuration level or something.

comment:3 Changed 5 years ago by vipsoft (robocoder)

The SSL certificate on piwik.org was self-signed and it has expired, so the demo site isn't a valid test.

What's the problem you see on your site?

comment:4 Changed 5 years ago by judleoson

same symptoms as in the demo. looks completely the same.
we use a valid license of our service (www.triond.com)

when I remove the https. I get the desired graph. with https I get a gray line with this "msg":

https://p.triond.com/index.php?module=VisitsSummary&action=getLastVisitsGraph&moduleToWidgetize=VisitsSummary&actionToWidgetize=getLastVisitsGraph&idSite=70209&period=day&date=2009

comment:5 Changed 5 years ago by vipsoft (robocoder)

While I can't reproduce this on my set-up, it looks like this is a known problem. However, Googling for IE7+https+flash, turns up a mixed bag of solutions/workarounds. I'll research this a bit before I propose a "fix".

comment:6 Changed 5 years ago by judleoson

thanks a bunch, I'll research as well.

comment:7 Changed 5 years ago by vipsoft (robocoder)

Microsoft's solution is to apply a hotfix or registry setting (BypassSSLNoCacheCheck):

comment:8 Changed 5 years ago by vipsoft (robocoder)

  • Milestone set to RobotRock

comment:9 Changed 5 years ago by judleoson

I did some research and I managed to display the graph in IE!

The above link is less relevant for my case because we intend to use piwik within our service. therefore i cannot ask all of our users to do stuff with the registry.

I realized that the problem is the Cache-Control header which sends no-cache and no-store. I tried to force some other headers but it didn't work. Then we realized that there is a session involved which cause php to take over any other headers on the way.

so I added this line:
session_cache_limiter("private");

to the very beginning of the code (first line in index.php) just to see that it can solve this issue and finally it worked.

The thing is that I know this is a very barbarian way to do it. There's must be a better way to control the session_cache_limiter so I can choose when to use it.

My question: is there any designated place to determine the Cache-Control? So I can change the Cache-Control only on specific cases and not all the time like I do now?

Thanks

comment:10 Changed 5 years ago by vipsoft (robocoder)

The alternative would be just before session_start().

I'm still hoping to find a cleaner fix, but you might want to use session_cache_limiter() more selectively.

if(! in_array($_SERVER['HTTPS'], ['', 'off']) && preg_match('/MSIE/i', $_SERVER('HTTP_USER_AGENT')) && ! preg_match('/Opera/', $_SERVER('HTTP_USER_AGENT')))
{
    session_cache_limiter('private');
}

comment:11 Changed 5 years ago by vipsoft (robocoder)

Sorry, I was posting from my iPhone... my array syntax was incorrect; it should be:

in_array($_SERVER['HTTPS'], array('', 'off'))

comment:12 Changed 5 years ago by vipsoft (robocoder)

  • Resolution set to worksforme
  • Status changed from new to closed

The more I look at this, the kludgier it gets. For example, the https check fails if a non-ssl piwik server goes thru a reverse proxy.


BTW this bug was fixed in IE6 sp2 according to http://support.microsoft.com/kb/815313/

comment:13 Changed 5 years ago by vipsoft (robocoder)

  • Resolution worksforme deleted
  • Status changed from closed to reopened

Can you test this on your site with the major browsers?

Index: index.php
===================================================================
--- index.php	(revision 906)
+++ index.php	(working copy)
@@ -40,6 +40,8 @@
 {
 	session_start();
 }
+header("Pragma: ");
+header("Cache-Control: no-store, must-revalidate");
 
 require_once "FrontController.php";
 

comment:14 follow-up: Changed 5 years ago by moazebulon

I permit me to create account and reply to this post because I have a SSL with piwik configuration and searching for solution to my flash pb on ssl I found this thread.
I experiment the proposal solution that is :
add lines :
header("Pragma: ");
header("Cache-Control: no-store, must-revalidate");
at the right place in index.php and for me it's ok.
So if this reply can help other users I wil be happy to write this.
Thanks and excuse the poor english of a french user

comment:15 in reply to: ↑ 14 Changed 5 years ago by moazebulon

Replying to moazebulon:

I permit me to create account and reply to this post because I have a SSL with piwik configuration and searching for solution to my flash pb on ssl I found this thread.
I experiment the proposal solution that is :
add lines :

header("Pragma: ");

header("Cache-Control: no-store, must-revalidate");

at the right place in index.php and for me it's ok.
So if this reply can help other users I wil be happy to write this.
Thanks and excuse the poor english of a french user

Test to day on IE7 and FX3(with last flash FX pluggin) OK

comment:16 Changed 5 years ago by matt (mattab)

I am not sure about this patch and the potential side effects.

  • why an empty pragma directive? is that necessary?
  • setting Cache-Control: no-store means that none of the piwik responses will be cached, according to http RFC : is that what we want? JS and Images wouldn't be affected and it seems they are the only ones that we really need to cache anyway.

Are you confident that there are no performance side effects on the UI?

comment:17 Changed 5 years ago by vipsoft (robocoder)

I don't know of any reason to cache any of the dynamic content. Performance can't get any worse because nocache appears to be the prevailing PHP default configuration. For example, these are the cache control headers sent by the Piwik demo site and on my server:

Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache

I manually cleared the Pragma header because, when session.cache_limiter is set to nocache in php.ini, PHP sets the default headers to the above. And reading 14.32 of the spec, the server shouldn't be sending this in the response to begin with.

Removing no-cache from Cache-Control appears to be safe, so long as we keep the Expires header and Cache-Control: must-revalidate. (13.2.1 and 13.2.4 of RFC2616)

I wonder if we should also remove Cache-Control: no-store, if in future we want to make better use of Smarty caching.

comment:18 Changed 5 years ago by matt (mattab)

  • Resolution set to fixed
  • Status changed from reopened to closed

ok, thanks for clarification. committed in [926] (in view->render rather than in index.php)

comment:19 Changed 5 years ago by spomoni

comment:20 Changed 5 years ago by spomoni

comment:21 Changed 5 years ago by spomoni

Note: See TracTickets for help on using tickets.