I have standard authentication situation... Visitor fills login+password to form, php script authenticates it in database a redirects back to some page.
In this process, we just add session_regenerate_id(true) when the customer is successfully authenticated just before the redirect. Everything works fine in Chrome, but it doesn't work in some versions (not all) of IE11 and latest version of Edge (tried in virtual box - download from modern.ie). Maybe it doesn't work in some other browsers.
How does it work in Chrome:
- client load page with login form - he has session id AAA
- client sends the form - the request has session id AAA
- client is being authenticated - session_regenerate_id(true) called
- response has Set-cookie and session id BBB (+Location: YYY)
- browser makes request to YYY with session id BBB
- response doesn't have set-cookie, so session id is BBB
- client is authenticated
How does it work in IE11/Edge:
- client load page with login form - he has session id AAA
- client sends the form - the request has session id AAA
- client is being authenticated - session_regenerate_id(true) called
- response has Set-cookie and session id BBB (+Location: YYY)
- browser makes request to YYY with session id AAA
- response doesn't have set-cookie, so session id is AAA
- client is NOT authenticated
Problem is, that the session AAA is removed when regenerating session id, so the client can't be authenticated.
It even doesn't work when there is no Location header and just shows static page with link to other page.
It looks, like the browser is ignoring Set-cookie.
When I remove session_regenerate_id(), it "works", bud it's less secure.
