problems with session cookies in IE 7

Hi...

I've been trying to post this for days, but MS seems to have a filter that
deletes my posts for some reason. I have a Fiddler log to show what I'm
talking about; maybe that's what it doesn't like, so I'll have to resort to a
description rather than details.

Our website has the option of distributing out the authentication authority
to our clients, so when a request comes to our site we look for a login
cookie and if we don't find it, we redirect over to the customer's login page.

That login page redirects the request back after login with an encrypted
token on the query string. We validate the token and then loop the request
back to itself. We do that for 2 reasons, 1 to drop the session login cookie
and the other to remove the token from the query string.

The problem is that on that last redirect, IE 7 is not presenting the
cookies we just set, so we think they have to log in again.

For example, if the request comes in as
http://test.machine.com/test.aspx?pa...token=blahblah,

We respond
Location: http://test.machine.com?param=a
Set-Cookie: LOGIN=our+cookie; path=/
Set-Cookie: BEENSEEN=We+know+him; domain=.machine.com; path=/
Cache-Control: private

plus the usual ASP.Net redirect text.

The issue is that this last redirect comes back with no Cookie: header at
all. The browser didn't keep either of them. I thought it might be an issue
with the LOGIN cookie not explicitly setting the domain, but the BEENSEEN
cookie does, and it doesn't come up either.

As I said, I tried to post the Fiddler log demonstrating the issue, but the
MS nntp server seems to have a bot deleting posts it doesn't like. I'm
hoping this is washed down enough to get through.

Any tips would be appreciated.

Thanks
Mark

Another tidbit of information...

I changed the code to explicitly set the domain for the LOGIN cookie and put
it up on a staging server (so now it has domain=.machine.com), and that
didn't improve things. IE 7 still won't present the cookies that were set on
the redirect.

One other thing I noticed that's different from a lot of our other
deployments is that the domain for those local cookies is the same as all of
our in-office lan computers. Are there weird conditions about setting
session cookies to a domain you're a member of? Does IE just ignore those?

Thanks
Mark


"Mark" wrote:

> Hi...
>
> I've been trying to post this for days, but MS seems to have a filter that
> deletes my posts for some reason. I have a Fiddler log to show what I'm
> talking about; maybe that's what it doesn't like, so I'll have to resort to a
> description rather than details.
>
> Our website has the option of distributing out the authentication authority
> to our clients, so when a request comes to our site we look for a login
> cookie and if we don't find it, we redirect over to the customer's login page.
>
> That login page redirects the request back after login with an encrypted
> token on the query string. We validate the token and then loop the request
> back to itself. We do that for 2 reasons, 1 to drop the session login cookie
> and the other to remove the token from the query string.
>
> The problem is that on that last redirect, IE 7 is not presenting the
> cookies we just set, so we think they have to log in again.
>
> For example, if the request comes in as
> http://test.machine.com/test.aspx?pa...token=blahblah,
>
> We respond
> Location: http://test.machine.com?param=a
> Set-Cookie: LOGIN=our+cookie; path=/
> Set-Cookie: BEENSEEN=We+know+him; domain=.machine.com; path=/
> Cache-Control: private
>
> plus the usual ASP.Net redirect text.
>
> The issue is that this last redirect comes back with no Cookie: header at
> all. The browser didn't keep either of them. I thought it might be an issue
> with the LOGIN cookie not explicitly setting the domain, but the BEENSEEN
> cookie does, and it doesn't come up either.
>
> As I said, I tried to post the Fiddler log demonstrating the issue, but the
> MS nntp server seems to have a bot deleting posts it doesn't like. I'm
> hoping this is washed down enough to get through.
>
> Any tips would be appreciated.
>
> Thanks
> Mark
>

I've worked up a reproducible case, but the usenet bot doesn't seem to like
me posting it.

The odd part is that the exact same code running on xp with IIS 5.1 works
with IE 7. Running on W2003/IIS 6.0 requested by IE 7 doesn't work (the
cookies get lost).

The differences seem to be the value of the Server: header and the
Connection: close header (IIS 5.1 doesn't drop it). Other than that, the
request/responses look the same - only in one case IE 7 remembers the cookies
and the other it doesn't.

Thanks
Mark

"Mark" wrote:

> Another tidbit of information...
>
> I changed the code to explicitly set the domain for the LOGIN cookie and put
> it up on a staging server (so now it has domain=.machine.com), and that
> didn't improve things. IE 7 still won't present the cookies that were set on
> the redirect.
>
> One other thing I noticed that's different from a lot of our other
> deployments is that the domain for those local cookies is the same as all of
> our in-office lan computers. Are there weird conditions about setting
> session cookies to a domain you're a member of? Does IE just ignore those?
>
> Thanks
> Mark
>
>
> "Mark" wrote:
>
> > Hi...
> >
> > I've been trying to post this for days, but MS seems to have a filter that
> > deletes my posts for some reason. I have a Fiddler log to show what I'm
> > talking about; maybe that's what it doesn't like, so I'll have to resort to a
> > description rather than details.
> >
> > Our website has the option of distributing out the authentication authority
> > to our clients, so when a request comes to our site we look for a login
> > cookie and if we don't find it, we redirect over to the customer's login page.
> >
> > That login page redirects the request back after login with an encrypted
> > token on the query string. We validate the token and then loop the request
> > back to itself. We do that for 2 reasons, 1 to drop the session login cookie
> > and the other to remove the token from the query string.
> >
> > The problem is that on that last redirect, IE 7 is not presenting the
> > cookies we just set, so we think they have to log in again.
> >
> > For example, if the request comes in as
> > http://test.machine.com/test.aspx?pa...token=blahblah,
> >
> > We respond
> > Location: http://test.machine.com?param=a
> > Set-Cookie: LOGIN=our+cookie; path=/
> > Set-Cookie: BEENSEEN=We+know+him; domain=.machine.com; path=/
> > Cache-Control: private
> >
> > plus the usual ASP.Net redirect text.
> >
> > The issue is that this last redirect comes back with no Cookie: header at
> > all. The browser didn't keep either of them. I thought it might be an issue
> > with the LOGIN cookie not explicitly setting the domain, but the BEENSEEN
> > cookie does, and it doesn't come up either.
> >
> > As I said, I tried to post the Fiddler log demonstrating the issue, but the
> > MS nntp server seems to have a bot deleting posts it doesn't like. I'm
> > hoping this is washed down enough to get through.
> >
> > Any tips would be appreciated.
> >
> > Thanks
> > Mark
> >

"Mark" <mmodrall@nospam.nospam> wrote in message news:C231726A-578C-471D-B98A-0F751A3A9ECA@microsoft.com...
> Hi...
>
> I've been trying to post this for days, but MS seems to have a filter that
> deletes my posts for some reason. I have a Fiddler log to show what I'm
> talking about; maybe that's what it doesn't like, so I'll have to resort to a
> description rather than details.
>
> Our website has the option of distributing out the authentication authority
> to our clients, so when a request comes to our site we look for a login
> cookie and if we don't find it, we redirect over to the customer's login page.
>
> That login page redirects the request back after login with an encrypted
> token on the query string. We validate the token and then loop the request
> back to itself. We do that for 2 reasons, 1 to drop the session login cookie
> and the other to remove the token from the query string.
>

> The problem is that on that last redirect, IE 7 is not presenting the
> cookies we just set, so we think they have to log in again.


On which OS?

E.g. if it is Vista see if information in this article would
help refine your symptom description:

(ignore the title)
http://support.microsoft.com/kb/932118

(Search of Microsoft Support for
session coookies "internet explorer"
)


Tip: You could use ProcMon to check some of the details
the article refers to.


Good luck

Robert Aldwinckle
---


>
> For example, if the request comes in as
> http://test.machine.com/test.aspx?pa...token=blahblah,
>
> We respond
> Location: http://test.machine.com?param=a
> Set-Cookie: LOGIN=our+cookie; path=/
> Set-Cookie: BEENSEEN=We+know+him; domain=.machine.com; path=/
> Cache-Control: private
>
> plus the usual ASP.Net redirect text.
>
> The issue is that this last redirect comes back with no Cookie: header at
> all. The browser didn't keep either of them. I thought it might be an issue
> with the LOGIN cookie not explicitly setting the domain, but the BEENSEEN
> cookie does, and it doesn't come up either.
>
> As I said, I tried to post the Fiddler log demonstrating the issue, but the
> MS nntp server seems to have a bot deleting posts it doesn't like. I'm
> hoping this is washed down enough to get through.
>
> Any tips would be appreciated.
>
> Thanks
> Mark
>