Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

widget + IE + ssl does not go together #550

Closed
anonymous-matomo-user opened this issue Feb 12, 2009 · 17 comments
Closed

widget + IE + ssl does not go together #550

anonymous-matomo-user opened this issue Feb 12, 2009 · 17 comments
Labels
Bug For errors / faults / flaws / inconsistencies etc. Major Indicates the severity or impact or benefit of an issue is much higher than normal but not critical.
Milestone

Comments

@anonymous-matomo-user
Copy link

I try to show this widget with ssl:

index.php?module=Widgetize&action=iframe&moduleToWidgetize=VisitsSummary&actionToWidgetize=getLastVisitsGraph

I get a gray message. same message like if you run piwik.org/demo under ssl.

That happens only in IE. all the other browsers are happy with this.

That is the only issue that holds us from releasing piwik to our users in production.

Can someone help? thanks
Keywords: SSL,IE,widget

@robocoder
Copy link
Contributor

The swfobject embedding code changed in 0.2.29, but I don’t think the URL construction was touched. What Piwik version are you running? What errors do you see in the browser’s error console?

@anonymous-matomo-user
Copy link
Author

I am using 0.2.28.

I don’t see any errors. only the gray thing containing some url.

use IE and go to:
https://piwik.org/demo/index.php?module=CoreHome&action=index&idSite=1&period=day&date=yesterday

you’ll see what I see.

I tried to dig in the code to find where this happens and I stopped at line 101 in core/View.php

I felt I am going to deep and that the answer must be outside somewhere, in configuration level or something.

@robocoder
Copy link
Contributor

The SSL certificate on piwik.org was self-signed and it has expired, so the demo site isn’t a valid test.

What’s the problem you see on your site?

@anonymous-matomo-user
Copy link
Author

same symptoms as in the demo. looks completely the same.
we use a valid license of our service (www.triond.com)

when I remove the https. I get the desired graph. with https I get a gray line with this “msg”:

https://p.triond.com/index.php?module=VisitsSummary&action=getLastVisitsGraph&moduleToWidgetize=VisitsSummary&actionToWidgetize=getLastVisitsGraph&idSite=70209&period=day&date=2009

@robocoder
Copy link
Contributor

While I can’t reproduce this on my set-up, it looks like this is a known problem. However, Googling for IE7+https+flash, turns up a mixed bag of solutions/workarounds. I’ll research this a bit before I propose a “fix”.

@anonymous-matomo-user
Copy link
Author

thanks a bunch, I’ll research as well.

@robocoder
Copy link
Contributor

Microsoft’s solution is to apply a hotfix or registry setting (BypassSSLNoCacheCheck):
- http://support.microsoft.com/kb/323308/

@anonymous-matomo-user
Copy link
Author

I did some research and I managed to display the graph in IE!

The above link is less relevant for my case because we intend to use piwik within our service. therefore i cannot ask all of our users to do stuff with the registry.

I realized that the problem is the Cache-Control header which sends no-cache and no-store. I tried to force some other headers but it didn’t work. Then we realized that there is a session involved which cause php to take over any other headers on the way.

so I added this line:
session_cache_limiter(“private”);

to the very beginning of the code (first line in index.php) just to see that it can solve this issue and finally it worked.

The thing is that I know this is a very barbarian way to do it. There’s must be a better way to control the session_cache_limiter so I can choose when to use it.

My question: is there any designated place to determine the Cache-Control? So I can change the Cache-Control only on specific cases and not all the time like I do now?

Thanks

@robocoder
Copy link
Contributor

The alternative would be just before session_start().

I’m still hoping to find a cleaner fix, but you might want to use session_cache_limiter() more selectively.

```
if(! in_array($SERVER[‘HTTPS’], [‘’, ’off’]) && preg_match(‘/MSIE/i’, $SERVER) && ! preg_match(‘/Opera/’, $SERVER(’HTTP_USERAGENT’)))
{
session
cache
limiter(‘private’);
}
```

@robocoder
Copy link
Contributor

Sorry, I was posting from my iPhone… my array syntax was incorrect; it should be:

```
in_array($_SERVER[‘HTTPS’], array(‘’, ’off’))
```

@robocoder
Copy link
Contributor

The more I look at this, the kludgier it gets. For example, the https check fails if a non-ssl piwik server goes thru a reverse proxy.

BTW this bug was fixed in IE6 sp2 according to http://support.microsoft.com/kb/815313/

@robocoder
Copy link
Contributor

Can you test this on your site with the major browsers?

```
Index: index.php
===============
- index.php (revision 906)
+ index.php (working copy)
@ -40,6 +40,8 @
{
session_start();
}
+header("Pragma: “);
+header(”Cache-Control: no-store, must-revalidate");

require_once “FrontController.php”;

```

@anonymous-matomo-user
Copy link
Author

I permit me to create account and reply to this post because I have a SSL with piwik configuration and searching for solution to my flash pb on ssl I found this thread.
I experiment the proposal solution that is :
add lines :
header("Pragma: “);
header(”Cache-Control: no-store, must-revalidate");
at the right place in index.php and for me it’s ok.
So if this reply can help other users I wil be happy to write this.
Thanks and excuse the poor english of a french user

@anonymous-matomo-user
Copy link
Author

Replying to [moazebulon](comment:14):

> I permit me to create account and reply to this post because I have a SSL with piwik configuration and searching for solution to my flash pb on ssl I found this thread.
> I experiment the proposal solution that is :
> add lines :
>
> header("Pragma: “);
>
> header(”Cache-Control: no-store, must-revalidate");
>
> at the right place in index.php and for me it’s ok.
> So if this reply can help other users I wil be happy to write this.
> Thanks and excuse the poor english of a french user

Test to day on IE7 and FX3 OK

@mattab
Copy link
Member

mattab commented Feb 25, 2009

I am not sure about this patch and the potential side effects.
- why an empty pragma directive? is that necessary?
- setting Cache-Control: no-store means that none of the piwik responses will be cached, according to [http RFC](http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.2) : is that what we want? JS and Images wouldn’t be affected and it seems they are the only ones that we really need to cache anyway.

Are you confident that there are no performance side effects on the UI?

@robocoder
Copy link
Contributor

I don’t know of any reason to cache any of the dynamic content. Performance can’t get any worse because nocache appears to be the prevailing PHP default configuration. For example, these are the cache control headers sent by the Piwik demo site and on my server:

```
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
```

I manually cleared the Pragma header because, when session.cache_limiter is set to nocache in php.ini, PHP sets the default headers to the above. And reading 14.32 of the spec, the server shouldn’t be sending this in the response to begin with.

Removing no-cache from Cache-Control appears to be safe, so long as we keep the Expires header and Cache-Control: must-revalidate. (13.2.1 and 13.2.4 of RFC2616)

I wonder if we should also remove Cache-Control: no-store, if in future we want to make better use of Smarty caching.

@mattab
Copy link
Member

mattab commented Feb 27, 2009

ok, thanks for clarification. committed in 926(in view→render rather than in index.php)

This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug For errors / faults / flaws / inconsistencies etc. Major Indicates the severity or impact or benefit of an issue is much higher than normal but not critical.
Projects
None yet
Development

No branches or pull requests

3 participants