IE8 BUG - Cookie Expiration

I found a bug in IE8 in the way it handles the expiration dates. I'm
developing an ASP.NET MVC website and was implementing login/logout. It all
worked great on IE7, FireFox, and Chrome. However, in IE8, I couldn't log out.

I had been using the "DIEYOUGRAVYSUCKINGPIGDOG" approach when expiring my
cookies. Instead of setting the expiration date to DateTime.Now.AddDays(-1),
I was going overboard with DateTime.Now.AddYears(-50). However, it appears
that IE8 did not like the 1959 date. It wouldn't just ignore the expiration
date, it didn't seem to process the cookie at all, as I was also changing the
cookie value, but subsequent requests were not showing that the value changed.

After playing with Fiddler for a few hours, I decided to try changing that
to the more conventional .AddDays(-1), and wouldn't you know, that worked.
The authentication cookie was being expired, and all was good.

I don't really feel like figuring out how far back the expiration date is
processed correctly, but this should help repro the issue.

Ugh... nevermind, I thought it was working, but it's still not. I'm not sure
what the bug is. Anyway, here is the raw data from fiddler:

From the request to the logout page (note: it's executing a GET, maybe
that's the issue? Does it only process cookies on POST responses?):
Cookie:
ZLEEK.ASPXAUTH=auth=1G3FkUIsm86pSTK1bXbN42zX3iFD3L 2ZJptWtomzV5r2bf6a0iPQssAIVAjl9G-hxb0uqUSxeaiAsMshKt4Yt22vCLLAFirp&rem=true;
ASP.NET_SessionId=1xxrkwivpl5nd545ydqabxmm

Response from the server:
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Expires: Sun, 03 May 2009 06:24:42 GMT
Server: Microsoft-IIS/7.0
X-AspNetMvc-Version: 1.0
X-AspNet-Version: 2.0.50727
Set-Cookie: ZLEEK.ASPXAUTH=; expires=Sat, 02-May-2009 00:00:00 GMT; path=/
X-Powered-By: ASP.NET
Date: Sun, 03 May 2009 06:24:42 GMT
Connection: close
Content-Length: 2963

Next request from client:
Cookie:
ZLEEK.ASPXAUTH=auth=1G3FkUIsm86pSTK1bXbN42zX3iFD3L 2ZJptWtomzV5r2bf6a0iPQssAIVAjl9G-hxb0uqUSxeaiAsMshKt4Yt22vCLLAFirp&rem=true;
ASP.NET_SessionId=1xxrkwivpl5nd545ydqabxmm

I'm going to try executing logout on a POST... that's what it should be
doing anyway...

Wish you could delete a post. Apparently it was a weird caching problem.
Cleared cache and it worked. Problem came up again, hit F5 to refresh the
page and it showed logged out...

Do not code when tired.

"Steve Commisso" wrote:

> Ugh... nevermind, I thought it was working, but it's still not. I'm not sure
> what the bug is. Anyway, here is the raw data from fiddler:
>
> From the request to the logout page (note: it's executing a GET, maybe
> that's the issue? Does it only process cookies on POST responses?):
> Cookie:
> ZLEEK.ASPXAUTH=auth=1G3FkUIsm86pSTK1bXbN42zX3iFD3L 2ZJptWtomzV5r2bf6a0iPQssAIVAjl9G-hxb0uqUSxeaiAsMshKt4Yt22vCLLAFirp&rem=true;
> ASP.NET_SessionId=1xxrkwivpl5nd545ydqabxmm
>
> Response from the server:
> HTTP/1.1 200 OK
> Cache-Control: private
> Content-Type: text/html; charset=utf-8
> Expires: Sun, 03 May 2009 06:24:42 GMT
> Server: Microsoft-IIS/7.0
> X-AspNetMvc-Version: 1.0
> X-AspNet-Version: 2.0.50727
> Set-Cookie: ZLEEK.ASPXAUTH=; expires=Sat, 02-May-2009 00:00:00 GMT; path=/
> X-Powered-By: ASP.NET
> Date: Sun, 03 May 2009 06:24:42 GMT
> Connection: close
> Content-Length: 2963
>
> Next request from client:
> Cookie:
> ZLEEK.ASPXAUTH=auth=1G3FkUIsm86pSTK1bXbN42zX3iFD3L 2ZJptWtomzV5r2bf6a0iPQssAIVAjl9G-hxb0uqUSxeaiAsMshKt4Yt22vCLLAFirp&rem=true;
> ASP.NET_SessionId=1xxrkwivpl5nd545ydqabxmm
>
> I'm going to try executing logout on a POST... that's what it should be
> doing anyway...

Steve Commisso schrieb am Sat, 2 May 2009 23:25:01 -0700:

> I don't really feel like figuring out how far back the expiration date is
> processed correctly, but this should help repro the issue.

But what for? There is no need to have such old cookie dates. In fact, I use
-3600 seconds for expiration.

Kai
--
Helpsites about Windows: http://www.mvps.org
IE repair script: http://iefaq.info

Steve Commisso schrieb am Sat, 2 May 2009 23:52:11 -0700:

> Wish you could delete a post. Apparently it was a weird caching problem.
> Cleared cache and it worked. Problem came up again, hit F5 to refresh the
> page and it showed logged out...

The second problem or your 50 year approach?

Kai
--
Helpsites about Windows: http://www.mvps.org
IE repair script: http://iefaq.info

OK, found the problem. When I was removing the auth cookie, I wasn't setting
the domain again. I was pulling the cookie from the request, modifying some
values, and adding to the response. Odd thing is that this very same code
worked fine on another website. Maybe it has to do with IIS?

The working server is a Win2K3 box with IIS6. The one which had the problem
is a Win2K8 box with IIS7.

Also, this wasn't working in IE7,Firefox,Chrome... was a caching issue there
as well.

"Kai Schaetzl" wrote:

> Steve Commisso schrieb am Sat, 2 May 2009 23:52:11 -0700:
>
> > Wish you could delete a post. Apparently it was a weird caching problem.
> > Cleared cache and it worked. Problem came up again, hit F5 to refresh the
> > page and it showed logged out...
>
> The second problem or your 50 year approach?
>
> Kai
> --
> Helpsites about Windows: http://www.mvps.org
> IE repair script: http://iefaq.info
>
>

Yeah, like I said, it was pointless but I just set it like that for fun --
but that wasn't the issue anyway, thanks.

"Kai Schaetzl" wrote:

> Steve Commisso schrieb am Sat, 2 May 2009 23:25:01 -0700:
>
> > I don't really feel like figuring out how far back the expiration date is
> > processed correctly, but this should help repro the issue.
>
> But what for? There is no need to have such old cookie dates. In fact, I use
> -3600 seconds for expiration.
>
> Kai
> --
> Helpsites about Windows: http://www.mvps.org
> IE repair script: http://iefaq.info
>
>

[MikeOtown]

Are you able to see the "ASP.NET_SessionId" cookie in IE8's Developer Tools -> Cache menu -> Cookie Information page?

Yes?

"MikeOtown" <MikeOtown.3x0z4e@no-mx.forums.vistaheads.com> wrote in message
news:MikeOtown.3x0z4e@no-mx.forums.vistaheads.com...
>
> Are you able to see the "ASP.NET_SessionId" cookie in IE8's Developer
> Tools -> Cache menu -> Cookie Information page?
>
>
> --
> MikeOtown
> Posted via http://www.vistaheads.com
>
>

[MikeOtown]

Quote:

Originally Posted by rob^_^

Yes?

You sound like you're not sure. Can you post a screen shot?