Microsoft KB Archive/217043

= FIX: Cookies Can Be Set for Generic Domain Names =

Article ID: 217043

Article Last Modified on 10/16/2002

-

APPLIES TO


 * Microsoft Internet Explorer 2.0
 * Microsoft Internet Explorer (Programming) 2.01
 * Microsoft Internet Explorer 2.1
 * Microsoft Internet Explorer 3.0
 * Microsoft Internet Explorer 3.01
 * Microsoft Internet Explorer 3.02
 * Microsoft Internet Explorer 4.0 128-Bit Edition
 * Microsoft Internet Explorer 4.01 Service Pack 2
 * Microsoft Internet Explorer 4.01 Service Pack 1

-



This article was previously published under Q217043



SYMPTOMS
Web sites with a country suffix may be sent unwanted cookies from the client browser.



CAUSE
When you set cookies, the domain name should contain at least two periods and match the domain name of the server setting the cookie. This way an organization can set cookies for its company only, for example, ".microsoft.com". Many browsers, including all versions of Internet Explorer prior to 5.0 do not account for a country suffix. This allows the setting of cookies for generic domain names such as ".com.au" or ".co.uk".



STATUS
Microsoft has confirmed that this is a bug in the Microsoft products that are listed at the beginning of this article. This bug was corrected in Internet Explorer 5.0.



MORE INFORMATION
The sending of unwanted cookies can cause problems with sites that impose strict security measures. Sites that use firewalls or ISAPI filters to check incoming request properties, such as the request header size or the cookie length, may reject requests containing these unexpected cookies.

To reproduce this problem add the following code to an Active Server Pages (ASP) page on an Internet Information Server (IIS) Web server. Response.Cookies("ckGeneric") = "CookieBody" Response.Cookies("ckGeneric").Expires = "2001/12/31" Response.Cookies("ckGeneric").Domain = ".com.au" Response.Cookies("ckGeneric").Path = "/" Access this page from a browser using a fully qualified domain name that includes the ".com.au" suffix. The cookie will be set on your machine (you can check this in the folder that stores the cookies on your browser and operating system). Start a network trace on your machine and access any site ending in the ".com.au" suffix. You will notice in the HTTP request header that the ckGeneric cookie is being sent in every request.

Additional query words: cookies international internet explorer

Keywords: kbbug kbfix kbie500fix KB217043

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.