FIX: FIX: Cookies Can Be Set for Generic Domain Names

• Microsoft Internet Explorer (Programming) versions 2.0, 2.01, 2.1, 3.0, 3.01, 3.02, 4.0, 4.01, 4.01 SP1

SYMPTOMS

Web sites with a country suffix may be sent unwanted cookies from the client browser.

CAUSE

When you set cookies, the domain name should contain at least two periods and match the domain name of the server setting the cookie. This way an organization can set cookies for its company only, for example, ".microsoft.com". Many browsers, including all versions of Internet Explorer prior to 5.0 do not account for a country suffix. This allows the setting of cookies for generic domain names such as ".com.au" or ".co.uk".

STATUS

Microsoft has confirmed this to be a bug in the Microsoft products listed at the beginning of this article.
This bug was corrected in Internet Explorer 5.0.

MORE INFORMATION

The sending of unwanted cookies can cause problems with sites that impose strict security measures. Sites that use firewalls or ISAPI filters to check incoming request properties, such as the request header size or the cookie length, may reject requests containing these unexpected cookies.

To reproduce this problem add the following code to an Active Server Pages (ASP) page on an Internet Information Server (IIS) Web server.

Response.Cookies("ckGeneric") = "CookieBody"
Response.Cookies("ckGeneric").Expires = "2001/12/31"
Response.Cookies("ckGeneric").Domain = ".com.au"
Response.Cookies("ckGeneric").Path = "/" 

Additional query words: cookies international internet explorer

Keywords          : kbIE301bug kbIE400bug kbIE401bug kbInternet kbIE302bug kbIE401sp1bug kbGrpInet kbIE500fix 
Version           : WINDOWS:2.0,2.01,2.1,3.0,3.01,3.02,4.0,4.01,4.01 SP1
Platform          : WINDOWS 
Issue type        : kbbug 

Last Reviewed: June 16, 1999