Multiple cookies created

[Guest]

Hi all.

I have a scenario where it appears that multiple cookies are created.
We are using ASP.NET 2.0, and one of our pages reads a cookie and display
the value to the web page, using client side JS. This is accomplished by
parsing the document.cookie property.

Here is the scenario. We have one site that has both the headers of
xyz.com.au and www.xyz.com.au

A user browses to xyz.com.au An operation on this page sets a persistent
cookie ( serverside ) key of "abc" and value of "def" with the DOMAIN
property of the cookie set to xyz.com.au
When the page re-renders there is a string in the document.cookie "abc=def",
as well as some other cookie values used by ASP.NET ( ie sessionID, etc ).

If the user is redirected, or browses directly, to www.xyz.com.au, we can
still read the cookie as described above, both server and client side. If
the user performs the same operation as above, we set the persistent cookie
key : "abc" and this time another value "ghi". The DOMAIN property of the
cookie is STILL xyz.com.au

However, this time the document.cookie property in JS contains 2 abc cookies:
abc=def&abc=ghi. Now the client side script cannot distinguish between the
2. Also, the order of the cookie appears to inconsistent.

We never had this problem when the site was running under ASPNET 1.1

Cheers...

Robert

 

[Walter Wang [MSFT]]

Hi Robert,

I've done some test using IE7 on Vista and IIS 6.0 on Win2003 and coundn't
reproduce the issue you mentioned using a simple webpage as follows:

<head runat="server">
<title>Untitled Page</title>
<script type="text/javascript" language="javascript">
alert(document.cookie);
</script>
</head>
<body>
<form id="form1" runat="server">
<div>
<asp:Button ID="Button1" runat="server" OnClick="Button1_Click"
Text="Button" />
<asp:TextBox ID="TextBox1" runat="server"></asp:TextBox></div>
</form>
</body>
</html>

protected void Button1_Click(object sender, EventArgs e)
{
HttpCookie cookie = new HttpCookie("abc", TextBox1.Text);
cookie.Expires = DateTime.Now.AddDays(1);
cookie.Domain = "xyz.com.au";
Response.Cookies.Add(cookie);
}

I'm using hosts file to fake the two dns to point to the same IIS server.


Regards,
Walter Wang ([email protected], remove 'online.')
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Guest]

Hi Walter,

Thanks for the reply. As is always the case, it's not as simple as I make
out, and I also managed to work out the answer.
We have an entire object model wrapping the HttpApplication, HttpRequest,
HttpResponse, HttpCookieCollection and HttpCookie objects. This was
primarily done as we implemented our own master page concept when the site
was running under 1.1, which has of course come across into the 2.0 port.

In our HttpCookie wrapper, we update the Domain property with the current
HTTP_HOST server variable when the cookie is created. This is immediately
reset with a more appropriate domain value, depending on the site that is
executing at the time ( our code base allows for multiple sites to run from
the same code - similar to master pages, which have differing requirements
for cookie rooting ).

This can also be reset when the Domain property is read. ( silly I know but
I've inherited the code ). Under 2.0, is appears somewhere between the
Application.EndRequest event and the response stream being generated the
Domain property was being invoked ( although I couldn't seem to hit a
breakpoint ) and the domain value was reset, as the application context was
no longer valid ( our configuration settings for the executing site were non
existent - no context ) .

I altered this to only reset if domain was null and the issue has gone away.

ps, as an aside, what was your Set-Cookie header value for each of your
responses. The document.cookie string drops the domain value from each
cookie as compared to the header value.

Cheers...

Rob

 

[Walter Wang [MSFT]]

Hi Robert,

Thank you for your update.

I'm not sure if I've fully understood your existing implementation and why
is it only causing problems in ASP.NET 2.0. Anyway, during my test, the
Set-Cookie header is as follows:

Set-Cookie: abc=hello; domain=xyz.com.au; expires=Sat, 10-Nov-2007 03:48:56
GMT; path=/

Set-Cookie: abc=world; domain=xyz.com.au; expires=Sat, 10-Nov-2007 03:50:51
GMT; path=/



Regards,
Walter Wang ([email protected], remove 'online.')
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.