开发者

IE sends multiple cookies with same name?

I have a strange bug that occurs in IE7/XP and IE8/Vista on my website. IE sends two cookies named PHPSESSID.

How to reproduce:

  1. Clear cookies in IE (not necessary if you never visited unisender.com).

  2. Visit unis开发者_如何学运维ender.com (exactly without www to reproduce!) and it will redirect to www.unisender.com

  3. Login with any valid username and password (I've registered username testmsdn with password testmsdn - feel free to use for testing)

  4. Run your favourite capture-the-traffic program (I prefer wireshark)

  5. Now click any menu link (e.g. "messages")

  6. Look at captured traffic - you will see that IE sends double PHPSESSID cookie (and you are logged out after click because of this). It seems like first PHPSESSID is from unisender.com and second from www.unisender.com.

Captured sample:


GET /en/letter_list HTTP/1.1

Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, /

Referer: http://www.unisender.com/en/intro

Accept-Language: ru

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.21022; .NET CLR 3.5.30729; FDM; .NET CLR 3.0.30729)

Accept-Encoding: gzip, deflate

Host: www.unisender.com

Connection: Keep-Alive

Cookie: authchallenge=3a9cfcfc9fe33822e3e21d75c8a3d3e4; PHPSESSID=14ea1cb133632951592397c86eaf037e; us_reg_ref=unknown; us_reg_url=http%3A%2F%2Funisender.com%2F; __utma=1.778517853.1271204400.1271204400.1271204400.1; __utmb=1.3.10.1271204400; __utmc=1; __utmz=1.1271204400.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=65e110aeb995a66b9dc8da5656c7a3da; last_login_name=testmsdn


I've tried to use session and non-session cookies, tried to use .unisender.com instead of unisender.com for cookie - nothing helps.

I suppose there should not be cookies with same name.

Am I right? Is it a bug in IE? If it's a bug then is there a workaround?

Or am I wrong and it's an expected behavior?


This is by-design.

You should either not send a cookie for the "www-less" version of your site, or both versions of your site should set the "domain=example.com" attribute on the PHP session cookie.

Otherwise, these cookies are not actually the same, and hence you'll be sent two. http://blogs.msdn.com/ieinternals/archive/2009/08/20/WinINET-IE-Cookie-Internals-FAQ.aspx

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜