I got a bug report from one of my clients today telling me that they had problems downloading files using MSIE through a download script I wrote. It so happens that there had been no problems with this script before. But when we switched from plain HTTP to HTTPS for their site, the problem started to happen. Internet Explorer does it again…

It would seem that IE has trouble interpreting custom headers when the request is made over HTTPS. Consider the following PHP code:

header(’Content-type: application/octet-stream’);
header(’Content-Disposition: attachment; filename=”stuff-in-binary.bin”‘);
header(’Content-Length: ‘.strlen($stuff));
print($stuff);

As you can see, all the headers required for this to be treated as a downloadable file by the browser are present. Over HTTP this works OK. But when you switch to HTTPS MSIE will give a you strange error message and complain that the file “cannot be found” or something to the effect.

After a bit of searching it seems that I was not alone with this problem. I found the solution to the problem in [this blog post][solution]. It turned out to be very simple.

Using the same example PHP code above, you just add the following before you start a session (if you are using sessions):

if(strpos($_SERVER['HTTP_USER_AGENT'], ‘MSIE’)) {
    session_cache_limiter(’must-revalidate,public’);
}

Though the blog entry pointed out above only suggests you set session_cache_limiter('public') I’ve found that the above code works in the most cases. Using only 'public' seems to break under certain setups. I was in a hurry so I must admit that I did not investigate this matter any further.

So what’s causing this? One of the commenters on that blog entry correctly points out a “security” setting in IE that affects this. With MSIE open, go to Tools->Internet Options and click on the “Advanced” tab. Look for the checkbox marked “Do not save encrypted pages to disk”. Uncheck it and downloads over HTTPS should now work correctly without the fix above.

Instead of making users jump through hoops in order to be able to download content over HTTPS, I would rather implement the workaround above even if there is a risk that it might break again in future versions of MSIE.

[solution]: http://joseph.randomnetworks.com/archives/2004/10/01/making-ie-accept-file-downloads “Making IE Accept File Downloads”

This entry was posted on Friday, July 21st, 2006 at 12:51 am and is filed under Code and Consequences, PHP. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.