All geek questions in one place

IE sending multiple cookies with the same name?

I have a strange error that occurs in IE7 / XP and IE8 / Vista on my website. IE sends two cookies called PHPSESSID.

How to reproduce:

  • Delete cookies in IE (not necessary if you have never visited unisender.com).

  • Visit unisender.com (definitely without www to play!) And it will redirect to www.unisender.com

  • Log in with any valid username and password (I registered the testmsdn username with the testmsdn password - feel free to use for testing)

  • Launch your favorite traffic capture program (I prefer wirehark)

  • Now click on any menu link (for example, "messages")

  • Look at the captured traffic - you will see that IE sends a double cookie PHPSESSID (and after that you are logged out after clicking). The first PHPSESSID seems to be from unisender.com and the second from www.unisender.com.

Captured Sample:

GET / en / letter_list HTTP / 1.1

Accept: image / gif, image / jpeg, image / pjpeg, application / x-ms-application, application / vnd.ms-xpsdocument, application / xaml + xml, application / x-ms-xbap, application / x -shockwave- flash, /

Referer: http://www.unisender.com/en/intro

Accept-Language: ru

User-Agent: Mozilla / 4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident / 4.0; Mozilla / 4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1); SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5 .21022; .NET CLR 3.5.30729; FDM; .NET CLR 3.0.30729)

Accept-Encoding: gzip, deflate

Host: www.unisender.com

Connection: Keep-Alive

Cookie: authchallenge = 3a9cfcfc9fe33822e3e21d75c8a3d3e4; PHPSESSID = 14ea1cb133632951592397c86eaf037e; us_reg_ref = unknown; us_reg_url = HTTP% 3A% 2F% 2F% 2Funisender.com; __utma = 1.778517853.1271204400.1271204400.1271204400.1; __utmb = 1.3.10.1271204400; __utmc = 1; __utmz = 1.1271204400.1.1.utmcsr = (direct) | utmccn = (direct) | utmcmd = (no); PHPSESSID = 65e110aeb995a66b9dc8da5656c7a3da; last_login_name = testmsdn

I tried to use session and non-session cookies, tried to use .unisender.com instead of unisender.com for cookies - nothing helps.

I suppose there should not be cookies with the same name.

I'm right? Is this a bug in IE? If this is a mistake, is there a workaround?

Or am I mistaken, and is this the expected behavior?

+4
source share
1 answer

This is a design.

You must not send cookies for the "www-less" version of your site, or both versions of your site must set the attribute "domain = example.com" in a PHP session cookie.

Otherwise, these cookies do not actually match, and therefore two will be sent to you. http://blogs.msdn.com/ieinternals/archive/2009/08/20/WinINET-IE-Cookie-Internals-FAQ.aspx

+3
source

Source: https://habr.com/ru/post/1306932/

More articles:


All Articles