I have a strange bug that occurs in IE7/XP and IE8/Vista on my website. IE sends two cookies named PHPSESSID.
How to reproduce:
Clear cookies in IE (not necessary if you never visited unisender.com).
Visit unis开发者_如何学运维ender.com (exactly without www to reproduce!) and it will redirect to www.unisender.com
Login with any valid username and password (I've registered username testmsdn with password testmsdn - feel free to use for testing)
Run your favourite capture-the-traffic program (I prefer wireshark)
Now click any menu link (e.g. "messages")
Look at captured traffic - you will see that IE sends double PHPSESSID cookie (and you are logged out after click because of this). It seems like first PHPSESSID is from unisender.com and second from www.unisender.com.
Captured sample:
GET /en/letter_list HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, /
Referer: http://www.unisender.com/en/intro
Accept-Language: ru
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.21022; .NET CLR 3.5.30729; FDM; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.unisender.com
Connection: Keep-Alive
Cookie: authchallenge=3a9cfcfc9fe33822e3e21d75c8a3d3e4; PHPSESSID=14ea1cb133632951592397c86eaf037e; us_reg_ref=unknown; us_reg_url=http%3A%2F%2Funisender.com%2F; __utma=1.778517853.1271204400.1271204400.1271204400.1; __utmb=1.3.10.1271204400; __utmc=1; __utmz=1.1271204400.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=65e110aeb995a66b9dc8da5656c7a3da; last_login_name=testmsdn
I've tried to use session and non-session cookies, tried to use .unisender.com instead of unisender.com for cookie - nothing helps.
I suppose there should not be cookies with same name.
Am I right? Is it a bug in IE? If it's a bug then is there a workaround?
Or am I wrong and it's an expected behavior?
This is by-design.
You should either not send a cookie for the "www-less" version of your site, or both versions of your site should set the "domain=example.com" attribute on the PHP session cookie.
Otherwise, these cookies are not actually the same, and hence you'll be sent two. http://blogs.msdn.com/ieinternals/archive/2009/08/20/WinINET-IE-Cookie-Internals-FAQ.aspx
精彩评论