Embedded Twitter Timeline interferes with PHP sessions in Firefox



This issue affects Firefox only. There are no issues in other browsers.

I have a custom login on my website. It works perfectly until I add the Twitter Timeline Embed code. When that code is added, the PHP session value changes when logging in. On signin.php, a php session value is generated. Upon pressing submit and going to success.php, the session value changes.

What could possibly be causing that and why only in Firefox?

Here is my code:



//Prevent Cross-Site Request Forgeries//
$tokengf = md5(uniqid(rand(), TRUE));
$_SESSION['tokengf'] = "$tokengf";
$_SESSION['tokengf_timestamp'] = time();
<form action="2.php" method="post"  />
<h3> Enter Your Username:</h3>
<span class="question">What is your username? </span>
  <label for="username">My username is:<br />
  <input type="text" name="username" id="username" value="" size="40" maxlength="85" />
<input type="hidden" name="tokengf" value="<?php echo $_SESSION['tokengf']; ?>" />
<br />
<input type="submit">
<!--Twitter Timeline-->
<a class="twitter-timeline" href="https://twitter.com/gftravelsite" data-widget-id="412977135226081280">Tweets by @gftravelsite</a>
<script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0],p=/^http:/.test(d.location)?'http':'https';if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src=p+"://platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script","twitter-wjs");</script>

And here’s the page that gets submitted to:


echo var_dump($_SESSION) . "<BR>";
echo print_r($_POST);
//Prevent Cross-Site Request Forgeries//
if ($_POST['tokengf'] != $_SESSION['tokengf']) {
echo "<br>post and session token values don't match.";

The browser output is:

array(2) { ["tokengf"]=> &string(32) "2e5b9797a3ba1e0b481f363b585c3bb1" ["tokengf_timestamp"]=> &int(1431234058) }
Array ( [username] => [tokengf] => 9bf4cca211d7a9874d954a434c21ac28 ) 1
post and session token values don't match.

The same exact page run using Chrome or IE gives this output as expected:

array(2) { ["tokengf"]=> &string(32) "fc28ab43754b40e6941a3f0208257de9" ["tokengf_timestamp"]=> &int(1431234321) } 
Array ( [username] => [tokengf] => fc28ab43754b40e6941a3f0208257de9 ) 1

Any ideas as to why the PHP session is being changed in Firefox? Also, if I remove the Twitter code, the sessions work fine in Firefox.




Not sure if this will help, but I had an issue that I traced to the twitter timeline in Firefox, also does not affect other browsers.

When a form is submitted, it appears to the server as if the form is submitted twice, but on closer inspection I found that the url to which the form submits is first called with a POST, immediately followed by a GET. Taking out the twitter timeline removes the problem.

It is likely that this is related to an older reported problem with the way that Firefox handles and tags with missing href’s or src’s - it substitutes the page url, hence the GET.

Not much to be done except removed the timeline.