ASP Cookie Path Question

My web application suffers from the following cookie dilemma. All cookies are "get and set" using request.cookies and response.cookies in ASP code

The problem is related to:

Request.Cookies("Name").Path = "/"

When I comment this line out, some users get an error because the cookie has not survived between page transitions

When the line is in, the cookie survives but any attempt to change the cookie value (by the same page) is ignored, even when path is set every time.

Does anyone out there understand whats going on and what the best practice is ?

thanks
Paul
LVL 8
plqAsked:
Who is Participating?
 
eyeh8uCommented:
Request.Cookies("Name").Path = "/"

Request.Cookies should be providing read-only access to the cookies that are returned to your server by the users browser, is this a type-o do you mean Response.Cookies("Name").Path = "/"?

Cookies are HTTTP header information. You can not change a cookie after the header of the page has been written. IIS will write the headers when the first input is sent to the page. After you have done this you can't change them, IIS should throw an error, if you have On Error Resume Next in your code, this error will be supressed and you won't see what is going on.

<%
Response.Cookies("name") = "value"
%>
After here no header changes are legal
<%
Response.Cookies("name") = "value2" ' This should throw an error
%>

The path of a cookie is an instruction to the web server and the browser for where a cookie is valid. If you set the path to /forums it won't get sent back to /articles for example. But it's up to the browser to get this right.

The best thing to do is something like

<%
Response.Buffer = True
' page business logic
' set cookies
' page display asp code
%>

Set the cookies once in a page, before anything is output to the page. Remove the error supression code and test to see if something is falling over silently.

Try using HTTPSpy (http://www.rwtemple.com/software/HttpSpy) to watch the HTTP headers between your browser and the site that has the problem, you'll be able to see EXACTLY what is going on with the cookies, invaluable for tracking down cookie issues.
0
 
mrwebdevCommented:
Have you tried:

Server.MapPath


Good Luck!
0
 
plqAuthor Commented:
thanks

I can try that but being short of test environments to reproduce the first scenario, what I'm really looking for is an understanding of how the cookie path works
0
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

 
webwomanCommented:
Do you have the exact error that gets thrown?
0
 
plqAuthor Commented:
eyeh8u: Sorry for getting request and response mixed up, the code is fine and has been in production for a couple of years.

>> The path of a cookie is an instruction to the web server ...<<
So wouldn't you expect Request.Cookies("Name").Path = "/" to be the same as leaving it out ?


webwoman: No, theres no error, just the cookie loses its value.

When we introduced Request.Cookies("Name").Path = "/" I think it was because of a 500 or 404 error, can't remember which. I don't actually have a pc that reproduces it right now.
0
 
eyeh8uCommented:
Yes, it would be the same, the default is "/" You only need to set path when you don't want it to be /
0
 
plqAuthor Commented:
I've just found this

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q316112

Which suggests that path = "/" will be needed when the computer name of the server contains an underscore. Not sure thats the answer but will investigate.
0
 
eyeh8uCommented:
AH Well that's the problem solved then!

I was stung with this one myself recently, we wrote an app on our server: codename-ws1 and it was deployed to the client, their server was codename_ws1, the code fell appart as it relies on asp sessions, which IE refuses to send to servers with an _ in the name.

Technicaly, the _ character is illegal in DNS, so you should NEVER put one even in a server name.

It's bound to cause your problem.
0
 
plqAuthor Commented:
I've asked a couple of people I know of who had this problem what their computer names are, but its not the whole problem solved anyway.

It does not explain why setting the path the "/" stops the cookie from surviving page transitions when the cookie has been rewritten. Here's the scenario:

- User gets logon page logon.asp
- Fills in pwd and the pwd goes via a form to logonaccept.asp
- Logonaccept contains the following code

      sAuth = midtierobject.Logon( ... )
                if left(sAuth, 5) <> "Error" then
            Response.Cookies("AuthCode") = sAuth
            Response.Cookies("AuthCode").Expires = DateAdd("d", 1, Now())
            Response.Cookies("AuthCode").Path = "/"


- If the user gets password wrong logonaccept will redirect back to logon.asp
- If the user gets password right logonaccept will redirect to the app

- When the user gets password wrong, and they then fill in the correct password, the cookie does not survive between logonaccept and the app. I've tested and debugged this and its definitely losing the cookie (i.e. not some coding error)

- but if I take the line path = "/" out, it works OK

I would add that most installations are second level - e.g.
   http://computername/myapp/logon.asp

0
 
plqAuthor Commented:
Hold on...
0
 
plqAuthor Commented:
Just fixed the second problem as follows:

before...

     sAuth = midtierobject.Logon( ... )
                if left(sAuth, 5) <> "Error" then
          Response.Cookies("AuthCode") = sAuth
          Response.Cookies("AuthCode").Expires = DateAdd("d", 1, Now())
          Response.Cookies("AuthCode").Path = "/"
    else
          Response.Cookies("AuthCode") = ""
   end if  


after....

     sAuth = midtierobject.Logon( ... )
                if left(sAuth, 5) <> "Error" then
          Response.Cookies("AuthCode") = sAuth
          Response.Cookies("AuthCode").Expires = DateAdd("d", 1, Now())
          Response.Cookies("AuthCode").Path = "/"
    else
          Response.Cookies("AuthCode") = ""
          Response.Cookies("AuthCode").Path = "/"
   end if  

That works

Once a cookies path has been set to "/", it seems you have to set it to "/" every time. I think whats happening is the cookie at the lower level (at http://computername/myapp)  will take precedence over the parent directory cookie (at http://computername)

Well that solves the problem for me because I can now use  Response.Cookies("AuthCode").Path = "/" all the time.

Phew
0
 
eyeh8uCommented:
>>I've asked a couple of people I know of who had this problem what their computer names are, but its not the whole problem solved anyway.

It only matters about the SERVER not the client. IE won't send ASP session cookies to servers with an _ in the name. This shouldn't affect your regular cookies set with Response.Cookies() I beleive.

Can you re-create the problem reliably? If so, use the HTTP Sniffer I linked earlier and see exactly what is /actualy/ being sent to the browser and what the browser is returning, even if you are confident you are correctly setting cookies in all cases, it can be very enlightening to see exactly where the fall down is occuring.
0
 
plqAuthor Commented:
The server is often installed at the customers premises. This is a web app, not a web site.

I can't recreate the problem here. But anyway, the workaround is to always set path. Although it would be interesting to investigate more I will have to move onto other things. Points coming up..

thanks everyone for helping
0
 
plqAuthor Commented:
Could you guys take a look at this seemingly related problem

http://www.experts-exchange.com/Operating_Systems/Windows_Server_2003/Q_21359114.html

thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.