plq
asked on
ASP Cookie Path Question
My web application suffers from the following cookie dilemma. All cookies are "get and set" using request.cookies and response.cookies in ASP code
The problem is related to:
Request.Cookies("Name").Pa th = "/"
When I comment this line out, some users get an error because the cookie has not survived between page transitions
When the line is in, the cookie survives but any attempt to change the cookie value (by the same page) is ignored, even when path is set every time.
Does anyone out there understand whats going on and what the best practice is ?
thanks
Paul
The problem is related to:
Request.Cookies("Name").Pa
When I comment this line out, some users get an error because the cookie has not survived between page transitions
When the line is in, the cookie survives but any attempt to change the cookie value (by the same page) is ignored, even when path is set every time.
Does anyone out there understand whats going on and what the best practice is ?
thanks
Paul
ASKER
thanks
I can try that but being short of test environments to reproduce the first scenario, what I'm really looking for is an understanding of how the cookie path works
I can try that but being short of test environments to reproduce the first scenario, what I'm really looking for is an understanding of how the cookie path works
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Do you have the exact error that gets thrown?
ASKER
eyeh8u: Sorry for getting request and response mixed up, the code is fine and has been in production for a couple of years.
>> The path of a cookie is an instruction to the web server ...<<
So wouldn't you expect Request.Cookies("Name").Pa th = "/" to be the same as leaving it out ?
webwoman: No, theres no error, just the cookie loses its value.
When we introduced Request.Cookies("Name").Pa th = "/" I think it was because of a 500 or 404 error, can't remember which. I don't actually have a pc that reproduces it right now.
>> The path of a cookie is an instruction to the web server ...<<
So wouldn't you expect Request.Cookies("Name").Pa
webwoman: No, theres no error, just the cookie loses its value.
When we introduced Request.Cookies("Name").Pa
Yes, it would be the same, the default is "/" You only need to set path when you don't want it to be /
ASKER
I've just found this
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q316112
Which suggests that path = "/" will be needed when the computer name of the server contains an underscore. Not sure thats the answer but will investigate.
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q316112
Which suggests that path = "/" will be needed when the computer name of the server contains an underscore. Not sure thats the answer but will investigate.
AH Well that's the problem solved then!
I was stung with this one myself recently, we wrote an app on our server: codename-ws1 and it was deployed to the client, their server was codename_ws1, the code fell appart as it relies on asp sessions, which IE refuses to send to servers with an _ in the name.
Technicaly, the _ character is illegal in DNS, so you should NEVER put one even in a server name.
It's bound to cause your problem.
I was stung with this one myself recently, we wrote an app on our server: codename-ws1 and it was deployed to the client, their server was codename_ws1, the code fell appart as it relies on asp sessions, which IE refuses to send to servers with an _ in the name.
Technicaly, the _ character is illegal in DNS, so you should NEVER put one even in a server name.
It's bound to cause your problem.
ASKER
I've asked a couple of people I know of who had this problem what their computer names are, but its not the whole problem solved anyway.
It does not explain why setting the path the "/" stops the cookie from surviving page transitions when the cookie has been rewritten. Here's the scenario:
- User gets logon page logon.asp
- Fills in pwd and the pwd goes via a form to logonaccept.asp
- Logonaccept contains the following code
sAuth = midtierobject.Logon( ... )
if left(sAuth, 5) <> "Error" then
Response.Cookies("AuthCode ") = sAuth
Response.Cookies("AuthCode ").Expires = DateAdd("d", 1, Now())
Response.Cookies("AuthCode ").Path = "/"
- If the user gets password wrong logonaccept will redirect back to logon.asp
- If the user gets password right logonaccept will redirect to the app
- When the user gets password wrong, and they then fill in the correct password, the cookie does not survive between logonaccept and the app. I've tested and debugged this and its definitely losing the cookie (i.e. not some coding error)
- but if I take the line path = "/" out, it works OK
I would add that most installations are second level - e.g.
http://computername/myapp/logon.asp
It does not explain why setting the path the "/" stops the cookie from surviving page transitions when the cookie has been rewritten. Here's the scenario:
- User gets logon page logon.asp
- Fills in pwd and the pwd goes via a form to logonaccept.asp
- Logonaccept contains the following code
sAuth = midtierobject.Logon( ... )
if left(sAuth, 5) <> "Error" then
Response.Cookies("AuthCode
Response.Cookies("AuthCode
Response.Cookies("AuthCode
- If the user gets password wrong logonaccept will redirect back to logon.asp
- If the user gets password right logonaccept will redirect to the app
- When the user gets password wrong, and they then fill in the correct password, the cookie does not survive between logonaccept and the app. I've tested and debugged this and its definitely losing the cookie (i.e. not some coding error)
- but if I take the line path = "/" out, it works OK
I would add that most installations are second level - e.g.
http://computername/myapp/logon.asp
ASKER
Hold on...
ASKER
Just fixed the second problem as follows:
before...
sAuth = midtierobject.Logon( ... )
if left(sAuth, 5) <> "Error" then
Response.Cookies("AuthCode ") = sAuth
Response.Cookies("AuthCode ").Expires = DateAdd("d", 1, Now())
Response.Cookies("AuthCode ").Path = "/"
else
Response.Cookies("AuthCode ") = ""
end if
after....
sAuth = midtierobject.Logon( ... )
if left(sAuth, 5) <> "Error" then
Response.Cookies("AuthCode ") = sAuth
Response.Cookies("AuthCode ").Expires = DateAdd("d", 1, Now())
Response.Cookies("AuthCode ").Path = "/"
else
Response.Cookies("AuthCode ") = ""
Response.Cookies("AuthCode ").Path = "/"
end if
That works
Once a cookies path has been set to "/", it seems you have to set it to "/" every time. I think whats happening is the cookie at the lower level (at http://computername/myapp) will take precedence over the parent directory cookie (at http://computername)
Well that solves the problem for me because I can now use Response.Cookies("AuthCode ").Path = "/" all the time.
Phew
before...
sAuth = midtierobject.Logon( ... )
if left(sAuth, 5) <> "Error" then
Response.Cookies("AuthCode
Response.Cookies("AuthCode
Response.Cookies("AuthCode
else
Response.Cookies("AuthCode
end if
after....
sAuth = midtierobject.Logon( ... )
if left(sAuth, 5) <> "Error" then
Response.Cookies("AuthCode
Response.Cookies("AuthCode
Response.Cookies("AuthCode
else
Response.Cookies("AuthCode
Response.Cookies("AuthCode
end if
That works
Once a cookies path has been set to "/", it seems you have to set it to "/" every time. I think whats happening is the cookie at the lower level (at http://computername/myapp) will take precedence over the parent directory cookie (at http://computername)
Well that solves the problem for me because I can now use Response.Cookies("AuthCode
Phew
>>I've asked a couple of people I know of who had this problem what their computer names are, but its not the whole problem solved anyway.
It only matters about the SERVER not the client. IE won't send ASP session cookies to servers with an _ in the name. This shouldn't affect your regular cookies set with Response.Cookies() I beleive.
Can you re-create the problem reliably? If so, use the HTTP Sniffer I linked earlier and see exactly what is /actualy/ being sent to the browser and what the browser is returning, even if you are confident you are correctly setting cookies in all cases, it can be very enlightening to see exactly where the fall down is occuring.
It only matters about the SERVER not the client. IE won't send ASP session cookies to servers with an _ in the name. This shouldn't affect your regular cookies set with Response.Cookies() I beleive.
Can you re-create the problem reliably? If so, use the HTTP Sniffer I linked earlier and see exactly what is /actualy/ being sent to the browser and what the browser is returning, even if you are confident you are correctly setting cookies in all cases, it can be very enlightening to see exactly where the fall down is occuring.
ASKER
The server is often installed at the customers premises. This is a web app, not a web site.
I can't recreate the problem here. But anyway, the workaround is to always set path. Although it would be interesting to investigate more I will have to move onto other things. Points coming up..
thanks everyone for helping
I can't recreate the problem here. But anyway, the workaround is to always set path. Although it would be interesting to investigate more I will have to move onto other things. Points coming up..
thanks everyone for helping
ASKER
Could you guys take a look at this seemingly related problem
https://www.experts-exchange.com/questions/21359114/Cookies-disappearing-after-20-minutes-on-windows-2003-server.html
thanks
https://www.experts-exchange.com/questions/21359114/Cookies-disappearing-after-20-minutes-on-windows-2003-server.html
thanks
Server.MapPath
Good Luck!