Welcome Guest, Not a member yet? Register   Sign In
Corporate firewall blocking cisession cookies

I have a government agency client who needs to log on to our CI based site from their agency network. It appears that their firewall/security package is blocking the cisession/ci_session session variables used for our login screens. This is a ubiquitous problem for users attempting to access this site, experienced by at least 20 users from various agencies in this same network over the past 3 years, while not experienced by several thousand other users of the same site during that time. The login page and all subsequent pages are ssl encrypted. We can do a reverse proxy using curl to get on from their network, so their site isn't blocking any particular content. Users from that agency can view everything on the web site prior to the cisession variable being set in the login (several wordpress pages), so the site itself isn't blocked. We can replicate the problem by blocking the cisession cookies on our browser. The agency IT staff sees it as outside software they can't/won't support, so no help there.
Anyone else run into this problem with corporate firewalls/security and have any suggestions or workarounds that don't involve the corporation/agency IT dept taking any action? Thanks in advance.

I'd check the cookie domain and whether it's being sent as a secure cookie (only over https). Are you sure it's a firewall issue and not a browser setting? Do they accept cookies in general but just not your session cookie?

I'm sure its an enterprise-wide issue, but not sure it is a firewall and not a browser setting that the agency enforces on all its computers (they all are using IE), or some other agency-wide "security" measure? It is possible to navigate and log-in to any other non-CI site that requires session cookies or just plain old cookies and they seem to be receiving our wordpress cookies fine. One other note, as a test I changed .htaccess so that the entire site was http for users from that domain, and the issue persisted, which led me to believe it wasn't a secure versus non-secure cookie issue.


Have you compared the WP vs CI cookies in the browser/developer tools to see if there are any differences? What is the "name" of your session cookie? If it has an underscore in it I'd remove it as older versions of IE had problems with that. It also rejects cookies where the domain/subdomain contains an underscore because they violate the RFC for domain names (must start with a letter, all other characters can be alphanumeric or dash). All other browsers that I know of accept them even if they contain an underscore.

Theme © iAndrew 2016 - Forum software by © MyBB