milliAmp

Alright, “millions of domains” is a bit of an exageration, hundreds is more accurate. 613 to be exact. That’s how many domains one project I’ve been working on has. What makes this situation a little stranger is that all these domains point to the same hosting account. I’ll give a bit more information about the project in a bit.

There is one feature of this project which required a bit of extra thinking and that was having a single-sign-on from any of the domains. The feature would need to allow a user to login from one of the 600 domains and still be logged in if they accessed the site from another. The problem doesn’t get complicated until you add in that the idea was to not have the address in the address bar be a single site but stay at the domain the user typed in and that frame-based “masking” was out due to IE6 SP2 (might have been IE7) by default, blocks third-party cookies - which is what the login cookies would have been if using frame-based “masking”.

My solution to the problem probably isn’t the most elegant but it does the job for now.

When a user enters one of the domains, if there isn’t an authentication cookie in their browser for that domain, a redirect is performed. The user is sent briefly to a central domain which checks if the user is logged in on the central domain and if they are, send back the session_id in the URL. Now, because all these domains ultimately lead to one hosting account on a single server, the session_id sent back works perfectly and allows them to log in. At this point, the system also attaches a cookie to the current domain in case they come back to this one, another redirect won’t be required.

When a user goes to one of the domains but isn’t logged in, they are of course briefly sent to the central domain which comes back saying they aren’t logged in there either and the login page is shown. One filled in the login form is posted back to the central domain which authenicates the details and redirects the user back to the domain they typed in, along with the new session_id. This now means the authentication cookie is set on the central domain and it will now be set on the domain they typed in.

In the past I’ve read hundreds of articles about the failings, “features” and related idiosyncrasies of Internet Explorer but until last week I hadn’t heard of this one. When we tested the site in Internet Explorer we found that every page would load correctly and then, right at the last second, change to the standard 404 error page saying that the page could not be found. If the user had turned off the “friendly” error pages in Internet Explorer the site performed fine.

I don’t know about you, but I wasn’t too sure where to start.

After thinking for a while, I checked the headers being sent by the server, they were all fine and dandy. Next I started ripping code haphazardly from the page until the quirk didn’t exhibit itself any more. Turned out that the whole problem was located in the stylesheet. To confirm this, I emptied the stylesheet and reloaded the page, it was fine.

After chopping back and chopping back and then slowly adding back in, I discovered that our designer had used the csshover.htc behaviour file to allow :hover on all elements in Internet Explorer 6. He has used this before successfully many, many times so I knew that something else was amiss.

Anyway, 5 minutes later I discovered that is was being referenced incorrectly from the stylesheet, the URL was given relative to the main page^[1]. The 404 was being generated when the onload event fired for the page when it couldn’t find the .htc to include.

Moral of the story, check your damn code people. A missing forward slash in a stylesheet turned into a 45-minute debugging session.

Another one to chalk up as to why Internet Explorer should die.

^[1] For whatever reason, I think IE was looking for the behaviour in the folder relative to the CSS (which is correct), not finding it and then looking relative to the document it was included from. I say this because the front page didn’t give the 404 whereas every other page did.