FIX: FIX: Cookies Can Be Set for Generic Domain NamesID: Q217043
|
Web sites with a country suffix may be sent unwanted cookies from the client browser.
When you set cookies, the domain name should contain at least two periods and match the domain name of the server setting the cookie. This way an organization can set cookies for its company only, for example, ".microsoft.com". Many browsers, including all versions of Internet Explorer prior to 5.0 do not account for a country suffix. This allows the setting of cookies for generic domain names such as ".com.au" or ".co.uk".
Microsoft has confirmed this to be a bug in the Microsoft products listed
at the beginning of this article.
This bug was corrected in Internet Explorer 5.0.
The sending of unwanted cookies can cause problems with sites that impose strict security measures. Sites that use firewalls or ISAPI filters to check incoming request properties, such as the request header size or the cookie length, may reject requests containing these unexpected cookies.
To reproduce this problem add the following code to an Active Server Pages (ASP) page on an Internet Information Server (IIS) Web server.
Response.Cookies("ckGeneric") = "CookieBody"
Response.Cookies("ckGeneric").Expires = "2001/12/31"
Response.Cookies("ckGeneric").Domain = ".com.au"
Response.Cookies("ckGeneric").Path = "/"
Access this page from a browser using a fully qualified domain name that includes the ".com.au" suffix. The cookie will be set on your machine (you can check this in the folder that stores the cookies on your browser and operating system). Start a network trace on your machine and access any site ending in the ".com.au" suffix. You will notice in the HTTP request header that the ckGeneric cookie is being sent in every request.
Additional query words: cookies international internet explorer
Keywords : kbIE301bug kbIE400bug kbIE401bug kbInternet kbIE302bug kbIE401sp1bug kbGrpInet kbIE500fix
Version : WINDOWS:2.0,2.01,2.1,3.0,3.01,3.02,4.0,4.01,4.01 SP1
Platform : WINDOWS
Issue type : kbbug
Last Reviewed: June 16, 1999