Preamble: This is not a Kohana bug per sé, it affects all PHP applications that use cookies when viewed in certain browsers (particularly IE) and further reading can be found at on the PHP.net site. The first part of this post discusses the symptoms of the issue that are specific to Kohana but the solution will be relevant to all.

Background

For quite some time now, I have followed the naming convention

http://[site]_dev.[server].creativeintent.co.uk

for my development sites. It seemed a nice, simple (and obvious) way to differentiate between production and development sites on our servers.

We've been following this pattern for quite some time now without issue. Chrome is our browser of choice in the Creative Intent studio because it offers such a powerful range of tools to us during development. However, it would seem that our good friend has been holding our hand and leading us down a dangerous path by being just a little too helpful.

The Symptoms

The issue first cropped up at 0930 this morning after we'd presented initial access to a client for their ecommerce site which we have been developing. This particular client already runs a popular online shop on our CaffeineCommerce platform but shortly after emailing them their access details for the development site, we'd received a support request..."I can't login!".

We double checked the authentication process to the administration area from our desks and everything seemed fine. Cue nearly an hour of telephone support, "Are you sure that you're on the right domain, entering the right username and password...?", clearing caches, cookies and restarting computers and servers. No joy! So we moved onto debugging. Sure enough, the login details were correct and if I pasted them into my browser they worked!?

"Which browser are you using again?" ... "Internet Explorer" sigh

What's happening under the hood?

So, I booted up VirtualBox and opened a Windows XP VM, tested in Internet Explorer and sure enough the log in failed. However, opening the production site and logging in...no problem!

I am rather embarassed to say that it took me quite some time to understand quite what was happening here. The request was getting from my controller to the Auth module, successfully and the Auth module in turn was returning a positive result and saving the user into session. Great.

Next, the controller takes over and redirects the user into the administration area, only by this point the Auth module reports that we are no longer authenticated and redirects us back to the log in page BUT only in Internet Explorer!

What is this voodoo curse?

Everything is pointing towards a bug in the session management. There used to be a known issue in Kohana 2.3.X whereby some installations would regenrate the session on every page load. I don't think that anybody ever discovered why this happened but eventually the development team simply removed the automatic regeneration (2.3.4 onwords), leaving up the the developer to manage this manually. I'm using version 3.X so this can't be the problem, sure seems similar though.

So what else is different between the production site and the development site? Well there's an underscore in the server name part of the URL but that wouldn't cause the session to regenerate on every page load in Internet Explorer...surely? Would it? Yup.

Solution

Quite simply, the solution is to avoid the use of underscores in your server name where possible. The use of underscores in domain names is, in fact, not valid and although some browsers such as Chrome and Firefox will allow you to plough away without issue, there are still many browsers that will throw up unexpected errors that may take some time to debug.