IE sends multiple cookies with same name?
Posted
by akach
on Stack Overflow
See other posts from Stack Overflow
or by akach
Published on 2010-04-14T14:47:32Z
Indexed on
2010/04/14
15:33 UTC
Read the original article
Hit count: 193
I have a strange bug that occurs in IE7/XP and IE8/Vista on my website. IE sends two cookies named PHPSESSID.
How to reproduce:
Clear cookies in IE (not necessary if you never visited unisender.com).
Visit unisender.com (exactly without www to reproduce!) and it will redirect to www.unisender.com
Login with any valid username and password (I've registered username testmsdn with password testmsdn - feel free to use for testing)
Run your favourite capture-the-traffic program (I prefer wireshark)
Now click any menu link (e.g. "messages")
Look at captured traffic - you will see that IE sends double PHPSESSID cookie (and you are logged out after click because of this). It seems like first PHPSESSID is from unisender.com and second from www.unisender.com.
Captured sample:
GET /en/letter_list HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, /
Referer: http://www.unisender.com/en/intro
Accept-Language: ru
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.21022; .NET CLR 3.5.30729; FDM; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.unisender.com
Connection: Keep-Alive
Cookie: authchallenge=3a9cfcfc9fe33822e3e21d75c8a3d3e4; PHPSESSID=14ea1cb133632951592397c86eaf037e; us_reg_ref=unknown; us_reg_url=http%3A%2F%2Funisender.com%2F; __utma=1.778517853.1271204400.1271204400.1271204400.1; __utmb=1.3.10.1271204400; __utmc=1; __utmz=1.1271204400.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=65e110aeb995a66b9dc8da5656c7a3da; last_login_name=testmsdn
I've tried to use session and non-session cookies, tried to use .unisender.com instead of unisender.com for cookie - nothing helps.
I suppose there should not be cookies with same name.
Am I right? Is it a bug in IE? If it's a bug then is there a workaround?
Or am I wrong and it's an expected behavior?
© Stack Overflow or respective owner