Why would IE/Fiddler see different cookie setting/deletion from Chrome and FF/Live HTTP Headers?

views:

800

answers:

Why would IE/Fiddler see different cookie setting/deletion from Chrome and FF/Live HTTP Headers?

I have a partly inherited web application in PHP and after poking around with Fiddler I have a little more data than before. The problem I'm trying to solve is unwanted logouts on IE6/8 but not FF/Chrome. If a user clicks between different pages, the login data cookies vanish.

The behavior is different in FF vs. IE, and the reported information is different in almost exactly the same way between Fiddler(/IE) and Live HTTP Headers(/FF).

In Firefox the cookies appear to be treated like the PHP specifies: they are created when the user logs in and checks "Remember me", and they are only deleted if the user visits the logout page, and they have a two week expiration date. Live HTTP Headers report nothing different: the cookies are never reported as being changed or deleted when the user clicks between pages.

But with IE, they disappear when the user clicks between different pages, and Fiddler reports,

Cookies / Login
    Set-Cookie: *******=deleted; expires=Sun, 29-Jun-2008 21:07:46 GMT; path=; domain=.********.com
    Set-Cookie: *******=deleted; expires=Sun, 29-Jun-2008 21:07:46 GMT; path=; domain=.********.com

('deleted' is literally quoted from Fiddler's output. I do not have any place in my code where either value is set to a magic string of 'deleted'.)

Not only do IE and Firefox have different interpretations of how the site is saying but Fiddler and HTTP Live Headers report correspondingly different versions of what the site does.

Is there something special about IE and 'deleted'? This may sound strange, but does IE want cookies to be re-enabled with each page view or something like that?

And how can I appease IE to bless the cookies in question as not deleted by the server unless the user requests it by visiting the logout URL?

+1 A:

Does the URL of the page in question have an underscore in it? I recall IE having problems with cookies from domainnames which don't follow the domain name specification (RFC 1035 check section 2.3.1).

Also there are (where?) some limitation in IE regarding to cookie size and number of cookies per domain. In IE6 I believe the limitation was maximum size of all cookies per domain 4095 bytes and 20 cookies per domain.

The problem might also arise if you use header based redirection where IE could loose track of the cookie.

Btw. the date you provided in the two Set-Cookie directives are they from an old log or does the server really set a cookie with a expire date in the past (which is the usual way to say.. "hey browser delete this cookie as it already expired days ago")

jitter 2009-07-01 21:59:44

Thanks. There are no underscores in the domain or subdomain. The cookies are in this case below 80 bytes in length, and there are maybe half a dozen of them--not enough to get dropped for that reason. I use header-based redirection when the user does things that are not needed to reproduce the problem; I don't use header-based redirection. As for the "far-past" expiration date--it was almost exactly a year before the post I made; I was quoting fresh data. The logout.php expires those fields to -365 days, but sets a value of "" instead of "deleted" (a string not found in any PHP file sitewide)

JonathanHayward 2009-07-02 18:04:11

+2 A:

IE won't set a cookie if the host has an underscore in it, but that's not the problem here.

Fiddler doesn't "invent" anything-- if it says that it got a HTTP header setting the cookie to the value "deleted", that means that the server literally sent that.

You might want to take a look at whether or not you have any errant requests going out on the wire that are causing the server to delete the cookies. For instance, in another thread, someone noted that an IMG tag with a source of "" (empty string) would cause IE to send a request for the root of the site, and their homepage deleted the login cookies if visited.

IE6/7/8 currently have a limit of 50 cookies per host, but that's not what you're hitting here either.

EricLaw -MSFT- 2009-07-02 03:50:23

Thank you. I know that I could deliberately create a string of "deleted" as "dele" . "ted" or 200 other possibilities, but a case insensitive search for "deleted" in the source tree turned up an absolutely empty result set. What could I be doing that would not only have me expiring cookies without realizing I'm doing it, but expire them while setting them to a string I cannot find in the source? (And why would Firefox's HTTP Live Headers simply miss what Fiddler observed?) I'm genuinely puzzled.

JonathanHayward 2009-07-02 18:02:50

It's likely that there's a PHP method or feature that emits the DELETED text when expiring a cookie.

EricLaw -MSFT- 2009-07-02 22:35:16

Indeed, PHP session management functions set cookie time to past and content to literal "deleted" when deleting them.

Piskvor 2009-11-20 10:26:51

+1 A:

What I eventually found was as follows: Firefox and IE were behaving differently because they were treating caching differently when a missing document was within the 14 day Expires: headers that had been set.

Firefox was apparently checking once for missing data, and then not requesting it again.

IE, on the other hand, kept on checking for an item a stylesheet gave the wrong path for, got 404 pages, and the custom 404 page did a boilerplate invitation to log in that triggered the user being logged out (perhaps not the best boilerplate). I guess the stylesheet was cached, but IE kept on asking for items that were missing.

So it was caching differences plus indirect inclusion plus 404 page behavior.

I still don't know what "deleted" came from. (Does PHP supply the word "deleted" if you set a cookie string to an empty value?)

JonathanHayward 2009-07-02 21:41:47

ansaurus

tags:

views:

answers:

Why would IE/Fiddler see different cookie setting/deletion from Chrome and FF/Live HTTP Headers?

related questions