[Catalyst] Session problems with IE and cookies

[Michael Alan Dorman]

On Wed, 28 Feb 2007 15:31:39 +0200
"Octavian Rasnita" <orasnita at gmail.com> wrote:

> I have created a site using Catalyst, and I access it with IE, but I
> can login with no issues.
> However, 2 customers told me that they can login on the site from one 
> location, but they cannot do it from their work place.
> I don't know, but it might be the same bug, since after the login,
> the program is making an external redirection, and the cookies are
> used...
> 
> Anyway, if somebody will find what's the problem, please write on the
> list.

I have seen this problem.  I finally fixed it for my application late
last year, after an embarrassingly long time. In my application the
sequence of events was:

 * user goes to main site, foo.org

 * user is issued a cookie, from foo.org

 * user submits form, is redirected to bar.foo.org

 * user is issued another cookie, from bar.foo.org

 * IE begins sending both cookies to bar.foo.org.

Depending on which cookie appears last, one or the other will be
"active"; if it's the one from foo.org instead of bar.foo.org,
typically you lose, because the session ID isn't known to bar.foo.org.

I thought I was giving the right domain= values to make sure that
didn't happen; I can't tell if the problem stems from me being too
stupid to read the cookie spec right, or the IE team.  It's not a spec
that, in my opinion, is without some ambiguity.

Anyway, the situation appeared intermittently for years.  I finally got
a trace from a single client on all hosts involved that let me see where
the "mystery key" that was confusing bar.foo.org originated.

The solution I eventually adopted was to also delete the session cookie
for foo.org at the same time as I did the external redirect to
bar.foo.org. I haven't heard of the issue popping up again since.

Mike.