14

We have multiple copies of a web-app that is deployed on multiple paths on the same domain.
Example:

Each instance maintains a set of cookies each one defines its path as "/" + .getWebDirRoot() - i.e. /abc, /xyz, /abc123

When performing the following flow:

The last step fails since IE sent us the incorrect cookie - it sends the one for http://mydomain.com/abc instead of the one for http://mydomain.com/abc123

This does not happen in FireFox. (And I haven't tried any other browser).

Is this a known behavior of IE (I tested IE9 and IE8)?
Is there a way to overcome it (in a programmatic manner)?

Note: Just to clarify, this does not happen when switching from http://mydomain.com/abc to http://mydomain.com/xyz - the behavior is strictly restricted to flows where currentUrl.startswith(urlAssociatedWithCookie) == true

I checked the behavior using Fiddler - I clearly see the HTTP request for abc123 sent with the value of the cookie belonging to abc.

I also checked the cookies on FireFox and they are as expected - one created per path.

RonK
  • 9,472
  • 8
  • 51
  • 87

1 Answers1

24

After investigating for more than a day and looking everywhere for specification on IE's behaviour I came up with nothing - apart from the understanding that when IE sees a cookie from domain xyz and path abc, it will send it on any request sent to any URL starting with the same domain and path, e.g. `http://xyz/abc123'.

So eventually what I did was change my cookie creation, and instead of:

Name: mycookie
Path: /abc

I now create the following:

Name: mycookie
Path: /abc/

This solved the problem with no ricochetes - the cookie is saved succesfuly on the client and the correct cookie is always sent to the server.

Note: I checked the RFC for HTTP Cookies and found this:

A request-path path-matches a given cookie-path if at least one of
the following conditions holds:

o The cookie-path and the request-path are identical.

o The cookie-path is a prefix of the request-path, and the last character of the cookie-path is %x2F ("/").

o The cookie-path is a prefix of the request-path, and the first character of the request-path that is not included in the cookie- path is a %x2F ("/") character.

The scenario that should have applied here is the 3rd, but it looks like IE does not comply with the RFC on this case ...

Community
  • 1
  • 1
RonK
  • 9,472
  • 8
  • 51
  • 87
  • Thanks for a thorough investigation. Knowing this will probably save me much drama in the future. – Lachlan McDonald Nov 30 '11 at 06:19
  • It happened the same to me (and taken the same conclusion). Thanks for saving me the time to find the spec and the description of the bug in IE! – helios Jan 12 '12 at 11:13
  • 4
    For everybody deploying on Apache Tomcat: Starting with Tomcat7 Tomcat automatically adds a trailing slash ("/") to the cookie path to avoid this problem. You can disable this feature in your `context.xml` by setting `sessionCookiePathUsesTrailingSlash=false` (see http://tomcat.apache.org/tomcat-7.0-doc/config/context.html) – Stefan Haberl Mar 12 '13 at 12:16
  • This appears to be fixed in IE11, if you happen to still care! – sparrowt Nov 03 '17 at 15:56
  • @sparrowt - not even remotely :) – RonK Nov 06 '17 at 21:02