IE sends multiple cookies with same name?

Posted by akach on Stack Overflow See other posts from Stack Overflow or by akach
Published on 2010-04-14T14:47:32Z Indexed on 2010/04/14 15:33 UTC
Read the original article Hit count: 193

I have a strange bug that occurs in IE7/XP and IE8/Vista on my website. IE sends two cookies named PHPSESSID.

How to reproduce:

  1. Clear cookies in IE (not necessary if you never visited unisender.com).

  2. Visit unisender.com (exactly without www to reproduce!) and it will redirect to www.unisender.com

  3. Login with any valid username and password (I've registered username testmsdn with password testmsdn - feel free to use for testing)

  4. Run your favourite capture-the-traffic program (I prefer wireshark)

  5. Now click any menu link (e.g. "messages")

  6. Look at captured traffic - you will see that IE sends double PHPSESSID cookie (and you are logged out after click because of this). It seems like first PHPSESSID is from unisender.com and second from www.unisender.com.

Captured sample:


GET /en/letter_list HTTP/1.1

Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, /

Referer: http://www.unisender.com/en/intro

Accept-Language: ru

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.21022; .NET CLR 3.5.30729; FDM; .NET CLR 3.0.30729)

Accept-Encoding: gzip, deflate

Host: www.unisender.com

Connection: Keep-Alive

Cookie: authchallenge=3a9cfcfc9fe33822e3e21d75c8a3d3e4; PHPSESSID=14ea1cb133632951592397c86eaf037e; us_reg_ref=unknown; us_reg_url=http%3A%2F%2Funisender.com%2F; __utma=1.778517853.1271204400.1271204400.1271204400.1; __utmb=1.3.10.1271204400; __utmc=1; __utmz=1.1271204400.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=65e110aeb995a66b9dc8da5656c7a3da; last_login_name=testmsdn


I've tried to use session and non-session cookies, tried to use .unisender.com instead of unisender.com for cookie - nothing helps.

I suppose there should not be cookies with same name.

Am I right? Is it a bug in IE? If it's a bug then is there a workaround?

Or am I wrong and it's an expected behavior?

© Stack Overflow or respective owner

Related posts about cookies

Related posts about internet-explorer