cookie problem

JavaScript and client side scripting.

Moderator: General Moderators

Post Reply
User avatar
grooou
Forum Newbie
Posts: 8
Joined: Tue Jun 03, 2003 1:21 pm
Location: Portugal

cookie problem

Post by grooou »

hello,
i have a problem with cookie fixation in msie 6.


i have 2 hosts:
aaa.domain.net (real)
bbb.domain.net (virtual)

both hosts are linking to the same php source code.

and now some http headers:

1st case:

Code: Select all

++GET
GET http://aaa.domain.net/ HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: aaa.domain.net
Connection: keep-alive


++RESP
HTTP/1.1 200 OK
Date: Tue, 26 Aug 2003 17:10:41 GMT
Server: Apache/1.3.27 (Unix) PHP/4.3.0 mod_auth_pam/1.1.1 mod_layout/3.2
X-powered-by: PHP/4.3.0
Set-cookie: PHPSESSID=8810f69685f5ec17f9df467f526f611d; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-type: text/html


++GET
GET http://aaa.domain.net/mycss.css HTTP/1.1
Accept: */*
Referer: http://aaa.domain.net/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: aaa.domain.net
Cookie: PHPSESSID=8810f69685f5ec17f9df467f526f611d
Connection: keep-alive



2nd case:

Code: Select all

++GET
GET http://bbb.domain.net/ HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: bbb.domain.net
Connection: keep-alive


++RESP
HTTP/1.1 200 OK
Date: Tue, 26 Aug 2003 17:10:41 GMT
Server: Apache/1.3.27 (Unix) PHP/4.3.0 mod_auth_pam/1.1.1 mod_layout/3.2
X-powered-by: PHP/4.3.0
Set-cookie: PHPSESSID=8810f69685f5ec17f9df467f526f611d; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-type: text/html


++GET
GET http://bbb.domain.net/mycss.css HTTP/1.1
Accept: */*
Referer: http://bbb.domain.net/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: bbb.domain.net
Connection: keep-alive

1st case is ok
cookie was accepted and msie is sending it


2nd case is not ok
where is the cookie?
why set-cookie is being ignored by msie6 ?
is msie6 accepting the cookie but not sending it due to host mismatch ? But the Host header is ok, i believe!

btw, set-cookie header is generated by session_start() function

Thank you,
Grooou
User avatar
JAM
DevNet Resident
Posts: 2101
Joined: Fri Aug 08, 2003 6:53 pm
Location: Sweden
Contact:

Post by JAM »

The PHP Manual wrote:To make the cookie available on all subdomains of example.com then you'd set it to '.example.com'. The . is not required but makes it compatible with more browsers. Setting it to http://www.example.com will make the cookie only available in the www subdomain. Refer to tail matching in the spec for details.
I'm thinking that the domain name (below as string domain) might be faulty set...

Code: Select all

bool setcookie ( string name ї, string value ї, int expire ї, string path ї, string domain ї, int secure]]]]])
If you have that set to "/" try changing it to domain.net.

Just a thought.

SideNote:

Code: Select all

header("Cache-Control: private")
An IE6 Bug-Fix. Caching kills the cookies, but the above code seems to fix that. Should add that along with the rest of your headers to be on the safe side.
User avatar
grooou
Forum Newbie
Posts: 8
Joined: Tue Jun 03, 2003 1:21 pm
Location: Portugal

I DON'T BELIEVE THIS

Post by grooou »

I've solved the problem with msie 6 ignoring cookies.

Microsoft, in msie6 sp1, produced a patch that solves some cookie vulnerability issues.

Look for details in:
http://support.microsoft.com/default.as ... -us;312461

This patch requires that domains that use cookies MUST (yes, they MUST) only have alpha-numeric characters (or '-' or '.') in the domain name. (WHY ???????) 8O 8O 8O 8O 8O

Well, bad luck for me. My domain name has an '_' character.
aaa.domain.net (servername)
aaa_test.domain.net (vhost)

THANKS MICROSOFT, GREAT PATCH !!!!!!!!!!
:evil: :evil: :evil:

:idea: Be carefull with domain names. If you use cookies you can only have alpha-numeric characters (or '-' or '.') in the domain name.


( :cry: i don't believe this. I don't remember how many hours i spent trying to solve this problem, watching logs, traces, dns, apache conf, vhost, etc. I love LYNX)



Best regards,
Grooou


PS: JAM, thanks for the help
User avatar
JAM
DevNet Resident
Posts: 2101
Joined: Fri Aug 08, 2003 6:53 pm
Location: Sweden
Contact:

Post by JAM »

Ahh, couldn't belive that that was the issue.
Good enough you solved it tho.
Post Reply