Microsoft KB Archive/828570

= BUG: Internet Explorer Reuses the Cookie of a Parent Domain When the Same Instance Visits a Child Domain =

PSS ID Number: 828570

Article Last Modified on 2/12/2004

-

The information in this article applies to:


 * Microsoft Internet Explorer (Programming) 6 (SP1)

-





SYMPTOMS
When you visit a Web page that is inside a three-level domain (for example, www.fourthcoffee.com) in the same Microsoft Internet Explorer instance that you used to visit a two-level domain (for example, fourthcoffee.com), Internet Explorer may reuse the cookie of the two-level domain Web site.



CAUSE
When you visit a Web page with a two-level domain name (for example, .com), an ASP page writes a cookie to the client. The cookie only has the Path property set to the root folder (&quot;/&quot;). No other property is set. When this ASP page is refreshed, the cookie is sent to the Web server and the Web server updates the value of the cookie accordingly. In this current Internet Explorer instance, if you append the current URL with &quot;www&quot; at the beginning of the URL, Internet Explorer reuses the original cookie (for .com) and then sends it to the www. .com host. The Web server does not know which cookie to use, and the Web server ignores the cookie for that particular Internet Explorer instance.

After Internet Explorer reuses the three-level domain cookie for the two-level domain, it sends the cookie to the Web server. The Web server determines that the host name that the client is hitting is different from the host name that is recorded in the cookie, and it sets a new cookie for the client. When the second request is made to the two-level domain, Internet Explorer sends out two cookies. These two cookies have the same names but have different values (one is old and one is new). The Web server only reads one of the cookies but the Web server does not write new values to the cookie. From that point on, none of the cookies on the client side is updated. Therefore, the intended value set for the cookie from the server side is never set.



RESOLUTION
If you visit the two-level Web site before you visit the three-level Web site, this behavior does not occur. This behavior also does not occur if you use separate instances of Internet Explorer to visit the pages.



STATUS
Microsoft has confirmed that this is a bug in the Microsoft products that are listed at the beginning of this article.



Steps to Reproduce the Behavior
  Create a page that is named Test.asp, and then paste the following code in the file: <% Dim myValue, CookieName

CookieName = &quot;myCookie&quot;

myValue = Request.Cookies(CookieName)

Response.Write &quot;CookieVal = &quot; & myValue & &quot; &quot;

if myValue = &quot;&quot; then myValue = 0 else myValue = myValue + 1 end if

Response.Cookies(CookieName).Expires = now + 3000 Response.Cookies(CookieName).Path = &quot;/&quot; Response.Cookies(CookieName) = myValue

Response.Write &quot;New CookieVal = &quot; & myValue %>  Put this page on two servers that are running Internet Information Services (IIS), or put this page on one server, depending on your IIS configuration). Make sure that one of the servers can be accessed through a two-level domain that is similar to http:// .com and that the other one can be accessed through a three-level domain similar to http://www. .com. In Internet Explorer, visit the page through http:// .com (for example, http:// .com/test.asp). On the page, &quot;CookieVal&quot; is blank and the &quot;New CookieVal&quot; is 0. Refresh the page three times. Now the &quot;CookieVal&quot; is 2 and the &quot;New CookieVal&quot; is 3. In the same instance of Internet Explorer, visit the following URL:

http://www. .com/test.asp

The values of &quot;CookieVal&quot; and of &quot;New CookieVal&quot; both increase by 1.</li> However, after the first time you visit the new URL, the cookie value will not increase when you subsequently refresh Internet Explorer.</li></ol>

Additional query words: parent child

Keywords: kbpending kbbug KB828570

Technology: kbAudDeveloper kbIEsearch kbSDKIE600 kbSDKIESearch

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.