5

I'm setting a cookie with an expiration date via ASP.NET using code similar to this

System.Web.Security.FormsAuthenticationTicket ticket = new System.Web.Security.FormsAuthenticationTicket(1, uname, DateTime.UtcNow, DateTime.UtcNow.AddDays(30), bool_persist, "some custom string data here");

string encrypted_ticket = System.Web.Security.FormsAuthentication.Encrypt(ticket);

HttpCookie auth_cookie = new HttpCookie(System.Web.Security.FormsAuthentication.FormsCookieName, encrypted_ticket);
auth_cookie.HttpOnly = true;

if (persist) //passed in to method as parameter
{
     auth_cookie.Expires = DateTime.UtcNow.AddDays(30);
}
auth_cookie.Domain = ".mydomainname.com";
Response.Cookies.Set(auth_cookie);

I am additionally setting another cookie in the same request to persist some other data then I redirect to another page.

The following header comes through on the response

HTTP/1.1 302 Found
Location: /redirect_to_this_page
Set-Cookie:.myAuthCookie=TRUNCATED_ENCRYPTED_DATA_FOR_READABILITY; domain=.mydomainname.com; expires=Sun, 27-Nov-2011 20:27:16 GMT; path=/; HttpOnly
Set-Cookie:__MyOtherCookie=; domain=full.mydomainname.com; expires=Thu, 28-Oct-2010 20:27:24 GMT; path=/; HttpOnly

On the request for the /redirect_to_this_page, I don't see the header being sent for some reason.

Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Cache-Control:max-age=0
Connection:keep-alive
Cookie:__utma=113888769.1619895090.1322774580.1322774580.1322774580.1;     __utmb=113888769.5.8.1322774827282; __utmc=113888769;     __utmz=113888769.1319833259.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=
Host:full.mydomainname.com
Referer:http://full.mydomainname.com/referring_page_that_set_cookies
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko)         Chrome/15.0.874.106 Safari/535.2

Any ideas how to solve this issue? The __MyOtherCookie gets set on every request.

Thanks
Mustafa

EDIT

Some discoveries: IE9 works properly. Chrome does not set the cookie after getting the Set-Cookie header if it has an expiration date.

So if I send the cookie without an expiration (so it gets treated like a session cookie by the browser, killed when the browser is closed), the cookie is always set properly and all requests contain the correct cookie.

In the words of Jon Stewart.... Whaaa?

Community
  • 1
  • 1
Mustafa Shabib
  • 798
  • 12
  • 35

5 Answers5

3

We had the same issue with Chrome (version 21.0.1180). Despite that we see expiration date on Header, some Chrome in Windows XP ignored it. Then we removed the Expiration Date and Chrome accepted keep the session cookie without problems.

ЯegDwight
  • 24,821
  • 10
  • 45
  • 52
Alvaro Brange
  • 79
  • 6
3

We had similar symptoms when moving our code from one server to another. Our login would set an expiring cookie on a redirect when login was successful. On the new server Firefox worked fine but Chrome and Safari failed (I didn't try IE). All worked on the old server. After comparing the headers/responses of two cases, I discovered the server time on the new server was set so that the time provided in the cookie expiration had already passed when the cookie was set!

We were serving stale cookies.

Setting the time properly on the new server made it work.

Assumption: FF works because it compares the expiration timestamp with the response header's Date: value - the other two must use the local machine's OS time?

John Y.
  • 126
  • 4
3

We had the same symptoms. It turned out that IIS was returning the wrong date in an HTTP Date header to the browser even though the date/time was set correctly on the server. IISRESET didn't help, it took a full server reboot to fix it.

Update: or use this method to reset the date: https://serverfault.com/a/217348

Community
  • 1
  • 1
user281806
  • 1,020
  • 9
  • 14
1

Remove domain from your custom cookie and try again.

If you want to use cookie across all subdomains domain name in cookie must match domain with dot at the beggining, looking at your headers it doesn't match:

Server response has:

full.mydomainname.com

request has:

full.mydomain.com

Or maybe it's has something to do with that safari bug Safari doesn't set Cookie but IE / FF does

Community
  • 1
  • 1
T W
  • 6,267
  • 2
  • 26
  • 33
  • Unfortunately that won't work for us - we need to bind the cookies to the current site domain. – Mustafa Shabib Oct 28 '11 at 21:00
  • domain or subdomain? http://stackoverflow.com/questions/108558/cookies-and-subdomains – T W Oct 28 '11 at 21:10
  • The auth cookie must be bound to the domain (.mydomain.com) and the second cookie must be bound to the subdomain (full.mydomain.com) – Mustafa Shabib Oct 28 '11 at 21:16
  • 1
    my bad - in cleaning up the headers to make them more generic/readable, i screwed up the domain names. I've corrected it and can assure you that in reality, the domains are correctly set up. – Mustafa Shabib Oct 28 '11 at 21:20
1

Why are you using a dot as cookie name prefix for ".myAuthCookie"? As per RFC it is treated as a separator.

Community
  • 1
  • 1
phil pirozhkov
  • 4,740
  • 2
  • 33
  • 40
  • 2
    I don't see where it says you cannot use a period in the cookie name - there is no reason as to why we used that name, though, we were just following the convention set by the default formsAuth cookie name that asp.net uses (.aspxauth). – Mustafa Shabib Nov 07 '11 at 15:47