CGI Cookie Problems

michellem has asked for the wisdom of the Perl Monks concerning the following question:

Hi fellow monks,

I have an odd problem, that has been bothering me for a while. I have a fairly complex web database system, with authentication. There is a single program which takes username and password, and then checks authentication (via a database), and, if OK, sets a cookie. Other programs in the suite read the cookie. This works just fine in most browser/OS combinations. But, for some odd reason, in some situations, mostly with Win 98, the cookies just don't get read, and wierd stuff happens with the browsers.

Mostly, people just can't login. Sometimes, the browser hangs.Another browser that doesn't seem to like the cookies is the new Safari browser for Mac OS X. Also, galeon on linux sometimes retains a cookie that I've tried to delete (the log out function.

I'm using the standard CGI cookie, the login and check code is below. What am I missing? Are there known issues with the CGI cookie function? Or with perl cookies?

Thanks for any advice!!

Setting cookies:

if (($user)&&($passcheck)) {
       my $cookie = cookie(-domain=>"$meta_configs{xina_domain}",
                           -name=>"$meta_configs{login_cookie_name}",
                           -value=>"$login_id",
                           -path=>"$meta_configs{login_cookie_path}",
                           -expires=>"$meta_configs{login_cookie_expir
+ation}");
       print header(-cookie=>[$cookie]); # cookie set
[download]

Checking Cookies:

$login_id = cookie("$meta_configs{login_cookie_name}");
[download]

Logging out:

 my $cookie = cookie(-domain=>"$meta_configs{xina_domain}",
                        -name=>"$meta_configs{login_cookie_name}",
                           -value=>"$old_cookie{value}",
                           -path=>"$meta_configs{login_cookie_path}",
                           -expires=>"0");
    print header(-cookie=>[$cookie]);
[download]

Comment on CGI Cookie Problems Select or Download Code

Replies are listed 'Best First'.
Re: CGI Cookie Problems by Aristotle (Chancellor) on Jan 23, 2003 at 22:39 UTC
I would suggest you read merlyn's column on cookie management - it's the best advice on how to employ cookies I've yet to see. Basically, you shouldn't rely on the user agent for any of your authentication system's tasks, just use a cookie to uniquely identify a browser, then use its ID to look up the session data in whichever form of serverside storage you choose. Makeshifts last the longest.	[reply]
Re: Re: CGI Cookie Problems by Anonymous Monk on Jan 23, 2003 at 23:53 UTC
I completely agree. Where I work I found out that many users were copying the cookies, and renaming them, from a users workstation who had access to a particular in-house web site. They were having trouble logging in to the web page so they just raided the cookie jar. Turned out none of them had ever requested access. Cost money and patience to call the help desk and request an ID/password! Thinking cookies are good security practice is like thinking your cookie jar is safe from your kids. They'll always get into them.	[reply]
Re: Re: CGI Cookie Problems by michellem (Friar) on Jan 24, 2003 at 02:33 UTC
That's a great link - thanks - I think it's a great strategy that I'll probably use on the next version of the application. BTW, my code does allow for short cookie expiration times (like just for the session). However, this strategy doesn't solve my problem, sadly. If, for some reason, the application can't either write the cookie, or read the cookie, it kinda doesn't matter what the cookie is. The problem remains.	[reply]
Re^3: CGI Cookie Problems by Aristotle (Chancellor) on Jan 24, 2003 at 03:10 UTC
Sorry, I should've mentioned I don't know what might help you, and was just giving some general advice. FWIW, I've heard of some versions of IE caching pages including headers, leading to strange behaviour with cookies. To see if you suffer from caching woes, you can try the following snippet which I've filed away under `overthetop_anticache.pl`: `use POSIX qw(strftime); print header( # date in the past -expires => 'Sat, 26 Jul 1997 05:00:00 GMT', # always modified -Last_Modified => strftime('%a, %d %b %Y %H:%M:%S GMT', gmtime), # HTTP/1.0 -Pragma => 'no-cache', # HTTP/1.1 -Cache_Control => join(', ', qw( no-store no-cache must-revalidate post-check=0 pre-check=0 )), );` [download] Update: fixed date as per davis. Makeshifts last the longest.	[reply] [d/l]
Re: Re^3: CGI Cookie Problems by davis (Vicar) on Jan 24, 2003 at 09:40 UTC
Re^5: CGI Cookie Problems by Aristotle (Chancellor) on Jan 24, 2003 at 09:45 UTC
Re: CGI Cookie Problems by pg (Canon) on Jan 24, 2003 at 04:38 UTC
I am recently working on some cookie related stuff, and made a small tool for myself. maybe it would help you in some way. This tool captures html packets, and is capable to extra Set-Cookies. To use it just make your browser point to this script as a proxy: localhost, 8080. This script requires one parameter to specify action, "r" for recording, and "d" for extract cookies. You can add more function, actually I just started with it yesterday, and will add more functions, if you are interested, I can send you a new version next week, or I can post it somewhere on perlmonks. browser(user agent) <==> script <==> server use IO::Socket::INET; use strict; my $action = $ARGV[0]; my $old_cookies = {}; my $new_cookies = {}; my $client = new IO::Socket::INET(Proto => "tcp", LocalPort => 8080, Listen => 10, Reuse => 1, Timeout => 2000) \|\| die "failed"; if ($action eq "r") { while (1) { my $c = $client->accept(); my $request = get_request($c); logmsg($request."\n"); my $response = get_response($request); logmsg($response."\n"); print $c $response; close($c); } } if ($action eq "d") { my $request_file; open($request_file, "<", "result"); while (<$request_file>) { get_cookie($_, $old_cookies); } close($request_file); } sub get_response { my ($request, $new_cookies) = @_; my $s = new IO::Socket::INET(Proto => "tcp", PeerPort => 8080, PeerAddr => "yourrealproxy")#set this + to your real proxy \|\| die "failed to connect to ofg\n"; print $s $request; my $response = ""; my $piece; while (1) { sysread($s, $piece, 1000); $response .= $piece; last if ($piece eq ""); }; close($s); my @lines = split(/\r\n\r\n/, $response); @lines = split(/\r\n/, $lines[0]); foreach my $line (@lines) { get_cookie($line, $new_cookies); } return $response; } sub get_request { my $c = shift; my $piece; my $request = ""; do { sysread($c, $piece, 1000); $request .= $piece; } until ($request =~ m/\r\n\r\n$/); return $request; } sub get_request_from_file { my ($request_file, $old_cookies) = @_; my $request = ""; my $found = 0; while (<$request_file>) { if (!$found) { if (m/^GET/) { $found = 1; $request .= $_; } else { get_cookie($_, $old_cookies); } } else { $request .= $_; last if (m/^\r\n$/); } } return $request; } sub logmsg { my $log = shift; my $result_file; open($result_file, ">>", "result"); print $result_file $log; close($result_file); } sub get_cookie { my ($response, $cookie_hash) = @_; $response =~ m/Set-Cookie:\s(.?)=(.*?)[;]/i; if ($1 && $2) { print "[$1, $2]\n"; $cookie_hash->{$1} = $2; } } [download]	[reply] [d/l]
Re: Re: CGI Cookie Problems by smitz (Chaplain) on Jan 24, 2003 at 09:01 UTC
If this isn't a candidate for Cool Uses for Perl, I dont what is. > if you are interested, I can send you a new version next week, or I can post it somewhere on perlmonks. Please do!	[reply]
Re: CGI Cookie Problems by Cody Pendant (Prior) on Jan 23, 2003 at 22:03 UTC
>Another browser that doesn't seem to like the cookies >is the new Safari browser for Mac OS X I don't know what the problem is, but I must say, the Safari people are actively seeking reporting of bugs. There's a big bug report button, top right, and they encourage you to use it for this kind of thing. -- “Every bit of code is either naturally related to the problem at hand, or else it's an accidental side effect of the fact that you happened to solve the problem using a digital computer.” M-J D	[reply]
Re: Re: CGI Cookie Problems by michellem (Friar) on Jan 24, 2003 at 02:40 UTC
Thanks - I did know about this - but I wanted to make sure it was thier bug and not my bug before I submitted it.	[reply]
Re: CGI Cookie Problems by Cody Pendant (Prior) on Jan 24, 2003 at 04:46 UTC
I've been playing with your code a little bit and I think what you need to do is run a test for exactly which values you're trying to set. A cookie can't be set if the domain is incorrect, for instance, so if you've got something accidentally weird appearing in your "$meta_configs{xina_domain}" then it will just be ignored by the browser. I mean it should be ignored by all browsers, but see above how you can't trust the browser anyway. Take your "domain" value out and the cookie will still be valid anyway, but, in general, check the values in those items is my next thought. -- “Every bit of code is either naturally related to the problem at hand, or else it's an accidental side effect of the fact that you happened to solve the problem using a digital computer.” M-J D	[reply]
Re: CGI Cookie Problems by Bilbo (Pilgrim) on Jan 24, 2003 at 11:07 UTC
I'm not sure if this is at all relevant, but a user of a site that I run has recently been having problems logging in using IE5 on Windows 98. When I investigated I found that when she entered her user name and password she was authenticated sucessfully and a session id was generated. This session id was sent as a cookie, but for some reason was not overwriting an old cookie (which contained a session id no longer in the database) with the new value. The only solution that I found was to delete the cookie. I assume that it had been corrupted in some way. Does anyone know if this is a common problem, and if there is anything one can do to avoid it when setting cookies?	[reply]
Re^2: CGI Cookie Problems by Aristotle (Chancellor) on Jan 24, 2003 at 17:27 UTC
Avoid Internet Explorer. `:^)` Ok, commence downvoting - I just had to voice my frustration with that unspeakable kind of thing. Sigh. Makeshifts last the longest.	[reply]


good chemistry is complicated, and a little bit messy -LW
	PerlMonks