Obscure Bug: ASP.NET doesn't handle cookies with non-standard server names
Jon Box ran into a crazy bug today with ASP.NET, IIS and Cookie handling. These are my favorite bugs. I love sniffing HTTP traffic; not sure why.
I had thought that his cookie was being dropped due to a missing P3P privacy policy. Turns out, it seems, that his server name was like SERVER_NAME and that an underscore is outside of the RFC guidelines, specificaly RFC 1034 and RFC 1035. His IIS support guy at Microsoft pointed to Q222823 that mentions a warning message you'd get when naming your server in this non-standard way:
"The computer name "computer name" contains one or more non-standard characters. Standard characters include letters (A-Z, a-z), digits (0-9), and hyphens. Using a non-standard name will prevent other users from finding your computer on the network, unless your network is using the Microsoft DNS Server. Do you wish to use this non-standard name?"
The conclusion is that ASP.NET doesn't handle cookies properly unless the DNS name of the server in question is within specifications for standard naming. Seems obivous in retrospect, but the fact that the cookie is just dropped doesn't automatically lead one to this conclusion. Kudos to Jon for sticking to the problem. If he posts more details on his blog, I'll add a link.
UPDATE: Looks like it's IE, not ASP.NET, and for security purposes. Thanks Jeff Berkowitz!
About Scott
Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.
About Newsletter
I encountered the same problem in the days before .Net.
We traced it to the underscore in the name, but it was Internet Explorer that would not accept the cookies from this server name.
Worse than that, whilst trying to fathom the problem, we had one older version of IE that would, and the newer more secure version that would not which proved to be a real red herring.
Jeff
Comments are closed.