File Download problems over SSL

avatar svalarino Oct 19. 2006. 6:11 pm #1
There is a well known problem with IE regarding downloading files over SSL. This problem manifests itself in my actievCollab install under IIS6. The problem does not happen with Firefox.

The following errors are displayed after trying to "Save Target As" depending on the type of file being downloaded:

(1) The File could not be written to the cache
(2) Internet Explorer was not able to open this Internet site. The requested site is either unavailable or cannot be found. Please try again later.

Some KB's suggest to turn off (clear, uncheck) this IE setting "Do not save encrypted pages to disk" (Tools >Advanced > Security) However this does not resolve the problem in activeCollab.

I believe the problem has to do with downloaded files being served by active Collab with the following http Header:

Cache-Control: no-store, no-cache, must-revalidate

Supposedly, if the the cache is set to "public" then IE will download files over SSL. This problems is well documented for other php projects. I have tried the following options:

(1) Adding an IIS header as in "Cache-Control: public, max-age=12000" does not work because it gets overwritten by the php http headers.

(2) Enabling and changing the session variables for PHP under IIS does produce the proper http headers. Example

---------------------------------------------------------------------
HTTP/1.1 200 OK
Connection: close
Date: Thu, 19 Oct 2006 22:32:51 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: PHP/5.1.6
Expires: Fri, 20 Oct 2006 01:52:51 GMT
Cache-Control: public, max-age=12000
Last-Modified: Thu, 12 Oct 2006 19:35:38 GMT
Content-Type: image/gif
---------------------------------------------------------------------

BTW, here is a great page describing PHP installation on Win32/IIS6 including setting PHP sessions: http://www.phplivesupport.com/documentation/viewarticle.php?uid=1&aid=78&pid=8


The problem is that activeCollab overwrites the PHP http header when downloading files resulting in http headers that cause the problem with IE downloads over SSL. Example:

----------------------------------------------------------------------------------------------
HTTP/1.1 200 OK
Connection: close
Date: Thu, 19 Oct 2006 22:52:23 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: PHP/5.1.6
Set-Cookie: id=1; expires=Thu, 19-Oct-2006 23:52:23 GMT; path=/
Set-Cookie: token=73b986c1869a50ba0bce6350209126a84db0838f; expires=Thu, 19-Oct-2006 23:52:23 GMT; path=/
Set-Cookie: remember=deleted; expires=Wed, 19-Oct-2005 22:52:22 GMT; path=/
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Expires: Fri, 20 Oct 2006 00:52:23 GMT
Last-Modified: Thu, 19 Oct 2006 22:52:23 GMT
Content-Type: image/tiff
Content-Length: 645344
Content-Disposition: inline; filename="CyberLogoVert.tif
Content-Transfer-Encoding: binary
----------------------------------------------------------------------------------------------

Specifically, "Cache-Control: no-store, no-cache, must-revalidate"

Both http headers cam from the same website but the first one was displaying info.php while the second was displaying an activeCollab "Files" download.

How can I get activeCollab not to overwrite the php http headers when downloading files so that they can be downloaded using IE over SSL?

I thank you in advance
avatar Ilija Studen Staff Oct 20. 2006. 1:48 pm #2
To update headers check out download_contents() function (in environment/functions/files.php). Report back if you find a solution.

Thanks
Follow @activecollab and activeCollab on Facebook.
avatar mcvogt Oct 20. 2006. 2:51 pm #3
svalarino, Could you share with us the steps for installing ActiveCollab in an IIS, SSL environment?
avatar svalarino Oct 20. 2006. 9:42 pm #4
Ilija Studen:
To update headers check out download_contents() function (in environment/functions/files.php). Report back if you find a solution.

Thanks

Success! Thanks for pointing me in the right direction Ilija. Here is the hack:

----------------------------------------------------------------------------------
/** HACK SAVR 10/20/06 force file download over SSL for IE
* Was:
* function download_contents($content, $type, $name, $size, $force_download = false) {
*/
function download_contents($content, $type, $name, $size, $force_download = true) {
if(connection_status() != 0) return false; // check connection

if($force_download) {

/** HACK SAVR 10/20/06
* Was:
* header("Cache-Control: public");
*/
header("Cache-Control: public, must-revalidate");
header("Pragma: hack");

} else {
header("Cache-Control: no-store, no-cache, must-revalidate");
header("Cache-Control: post-check=0, pre-check=0", false);
header("Pragma: no-cache");
} // if
header("Expires: " . gmdate("D, d M Y H:i:s", mktime(date("H") + 2, date("i"), date("s"), date("m"), date("d"), date("Y"))) . " GMT");
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
header("Content-Type: $type");
header("Content-Length: " . (string) $size);

// Prepare disposition
$disposition = $force_download ? 'attachment' : 'inline';
header("Content-Disposition: $disposition; filename=\"" . $name) . "\"";
header("Content-Transfer-Encoding: binary");
print $content;

return((connection_status() == 0) && !connection_aborted());
} // download_contents
-----------------------------------------------------------------------------------

Here is the http header it produces which lets IE cache encrypted content and thus allows activeCollab to donwload files over an SSL.

-------------------------------------------------------------------------------
HTTP/1.1 200 OK
Connection: close
Date: Sat, 21 Oct 2006 02:14:01 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: PHP/5.1.6
Set-Cookie: id=1; expires=Sat, 21-Oct-2006 03:14:01 GMT; path=/
Set-Cookie: token=73b986c1869a50ba0bce6350209126a84db0838f; expires=Sat, 21-Oct-2006 03:14:01 GMT; path=/
Set-Cookie: remember=deleted; expires=Fri, 21-Oct-2005 02:14:00 GMT; path=/
Cache-Control: public, must-revalidate
Pragma: hack
Expires: Sat, 21 Oct 2006 04:14:01 GMT
Last-Modified: Sat, 21 Oct 2006 02:14:01 GMT
Content-Type: image/tiff
Content-Length: 645344
Content-Disposition: attachment; filename="CyberLogoVert.tif
Content-Transfer-Encoding: binary
----------------------------------------------------------------------------------

Notice the "Pragma: hack" That is necessary because PHP automatically set "Pragma: no-cache" and there is no way to override that in any of the PHP settings.

Here is where that hack came from http://us3.php.net/header look for the comment from Nick Sterling.

I am not sure how the calling modules would "$force_download = true" but it's obvious you default it to false.

BTW, great project. I'm a .NET guy and up to now I have been dismissive of PHP. I think activeCollab will motivate me to SVN a download and give PHP a try! (Love the Angie framework idea!)

Greetings,

Sri Alexander Valarino
avatar svalarino Oct 20. 2006. 9:52 pm #5
mcvogt:
svalarino, Could you share with us the steps for installing ActiveCollab in an IIS, SSL environment?

How far long are you? Assuming that you have installed PHP on IIS(6) and installed the SSL on your activeCollab website then it's a simple matter of changing:

define('ROOT_URL', 'http://YourActiveCollabURL')

to

define('ROOT_URL', 'https://YourActiveCollabURL')

in ..\activeCollab\config\config.php

activeCollab will redirect every page after the login to the ROOT_URL, whether you start your login at https:// or http:// is up to you. I have not checked the PHP code but I believe the POST on pressing login will be submitted over https:// If you want to be absouletly secured force your users to start at https:// or make that link from your main domain.

Hope that helps,
avatar footprintmedia Oct 11. 2007. 1:42 pm #6
Does this fix only work for IIS? I am having the same problem on Apache2 and deparately need to fix it!

Regards

Andrew