Here is a small perl cookie test script. Put this cookietest.cgi in the same folder as manage_users.cgi. Access with browser and click the create button several times to see cookies created. Then repeat press the refresh button to see them expire after 20 seconds and disappear. This should show whether the problem is with your script, browser or server.

#!/usr/bin/perl
# cookietest.cgi
use strict;
use CGI ':standard';
use CGI::Cookie;
use Data::Dumper;
my $time = scalar localtime;

my $cookie;
if ( param('action') ){
  $cookie = new CGI::Cookie(
  -name    => (sprintf "TESTCOOKIE_%05d",rand(10000)), 
  -value   => $time,
  -expires => '+20s' );
  CGI::delete_all();
  print redirect( -cookie => $cookie );
}

my $JS =<<EOJ;
  function display_ct() {
    var x = new Date()
    document.getElementById('ct').innerHTML = x;
  }
EOJ

print header( -cookie => $cookie ),
start_html( -title => "cookietest.cgi", -script=>$JS, 
            -onLoad=>"display_ct();" ),
h2("Cookie Test"),
h3("Server time is : $time"),
h3("Client time is : <span id='ct' ></span>");

print start_form( -method => "POST" );
print submit("action","create cookie");
print submit("refresh","refresh");
print end_form;

my %cookie = CGI::Cookie->fetch;
my $count = keys %cookie;
print h3("There are $count cookies");
print pre( Dumper \%cookie ),end_html;
[download]

The redirect call threw me, i guess cuz it didnt have a text uri or a -uri=> section. So i ran it, and it all became clear. Ill remember that "trick" now.

Then in researching it http://perldoc.perl.org/CGI.html#GENERATING-A-REDIRECTION-HEADER i found "All names arguments recognized by header() are also recognized by redirect(). However, most HTTP headers, including those generated by -cookie and -target, are ignored by the browser.". but mine (firefox51) didnt ignore the -cookie => $cookie part.

However, most HTTP headers, including those generated by -cookie and -target, are ignored by the browser.". but mine (firefox51) didnt ignore the -cookie => $cookie part.

General statements like that may have been true more than 20 years ago when CGI.pm first appeared

The documentation is gigantic and not maintained , for anyone who wants to learn HTTP should learn from the RFC

First regarding the cookie with no name, read Re^4: Cookie->fetch problem near the bottom after "and note that if i run". you put it there once when you passed back a cookie without setting the name to CGISESSID, and you may keep doing it too.

clicked the button for the script and it showed no cookies.

Hi:

Thanks for observations and timely response. As for the "unknown" cookie, I am sure it is not of my origin and another "monk" suggested that my host is sending this back with each access. I have sent an email to their tech support asking this very question.

As for requesting a "secure" cookie. That was a potential problem. I copied my file with the cookie "try it" button code to my https directory and called https://www.jala-mi.org and it opened the index page there.

This was evidenced by the lack of the insecure login warning appearing from Firefox.

Clicking the "try it" button again returned the unknown cookie listing. Removing that cookie and clicking again returned no result. Try it yourself.

My logon consists of an insecure page with an iFrame which is supplied with and https delivered login form which I assume was secure.

The fact that the Firefox security warning appears suggest that the login form in the iframe is not secure.

I have posted a question on Firefox forum and they disagreed and said it was not secure. I am still disputing that.

Take note that the Firefox warning does not appear when opening the login page from rhe https location confirming that page was secure for my test.

Nonetheless, I think I have explored the avenue you suggested and this problem is not related to the secure path issue unless the fact that the path shown on the CGISESSID cookie: .www.jala-mi.org.

I looked at other cookies requiring a secure connection and the ones I looked at showed a path w/o the www as in .paypal.com .

Other unencrypted connections such as: www.paypal-community.com show the www with no dot in front of it as my cookie does. Perhaps there is something in the structure that is incorrect. I am not familiar with these issue to be able to render a judgment on this aspect.

I did a search on the module providing all the access and turned up no instances of ".www" as did the same search is all the files in the project.

As I said, I am at a loss. Below is code that sets cookie

sub SetUserSessionCookie
{    
    my ($sname,$sid) = @_;
    #use CGI qw/:standard/;
    #use CGI::Cookie;
    my $sessioncookie = new CGI::Cookie(-name=>$sname,-value=>$sid,-ex
+pires=>$session_cookie_timeout,-path=>'/cgi-bin',-domain=>$domain,-se
+cure=>1);
    print header(-Cookie=>[$sessioncookie],-type=>"text/html");
}
[download]

And the code calling the new cookie

       warn("Hash evaluation succeded - $passhash = $passhash1 : $sess
+iondata2 = $sessiondata2md5p");
       my $timein = time();
       $session->param('user_id',$uid);
       $session->param('username',$username);
       $session->param('forename', $forename);
       $session->param('lastname', $lastname);
       $session->param('timein', $timein);
       $session->param('timeout', 0);
       $session->param('attempts',0);
       $session->param('isloggedin',1);
       $session->expires('+7d');
#       Expires($session, Now() + (86400*7));
       AccessInOutLog($session); #Added 02/18/05
       my $isloggedin = $session->param('isloggedin');
       warn("Login User : SID '$sid'  Session Logged In  '$isloggedin'
+");
       $session->flush();

       #Set session cookie on client
       SetUserSessionCookie('CGISESSID', $sid);

       my $gmtimenow = gmtime(Now());
       my $localtimenow = localtime(Now());
       return 3;
    }
[download]

Nonetheless, I think I have explored the avenue you suggested and this problem is not related to the secure path issue unless the fact that the path shown on the CGISESSID cookie: .www.jala-mi.org.

Yes the extra dot could very well be the problem

since you seem to use firefox do you know of the web developer section under tools? open a new window, click tools-web developer-network. now enter https://www.jala-mi.org/httpsdocs/cgi-bin/manage_users.cgi?action=GetLoginForm into the address bar and press return. watch the fields get filled in in the network section. now click on the get manage_users.cgi?action=GetLoginForm line. new tabs open on the right. click on cookies. you can navigate your form in the top window, and look at the cookies sent and received in that window. A very interesting utility.

but i just figured out your problem with no cookies. it took me pasting the line here to see it. ill paste it again https://www.jala-mi.org/httpsdocs/cgi-bin/manage_users.cgi?action=GetLoginForm. look close, look closer, closer again. WHAT IS THE PATH to manage_users.cgi? does that look like /cgi-bin? no huh. that path is /httpsdocs/cgi-bin isnt it?

why you are linking to /httpsdocs/cgi-bin i cannot say. i notice that https://www.jala-mi.org/cgi-bin/manage_users.cgi?action=GetLoginForm give me a 404. but i can say that the path you are running the login form from IS NOT /cgi-bin like your set cookie of -path=>'/cgi-bin' is setting

Strange I just looked at the "invisible" CGISESSID cookie again and now the path is /cgi-bin but it still does not show up clicking the "try it" button on the form returned by https://www.jala-mi.org.

mia culpa, mia culpa

Cookie with no name solved. It was me with javascript on index.html

With this line commented out it takes you to ino page on cookies not enabled. Gone for now.

//**************************/
//  Check For Cookies Enabled
//**************************/

<script type="text/javascript">

document.cookie = "Cookie-Enabled?" <-- This is culprit-->

function CheckForCookieEnabledBrowser(){
  if ( document.cookie == "" )  {
<!--    var target = "http://" + location.hostname + "/jala_cookie_msg
+.htm"; <!-- http://www.whatarecookies.com/enable.asp/-->
//    alert("entered CheckForCookeEnabledBrowser = "  + document.cooki
+e );
    var target = "http://www.whatarecookies.com/enable.asp";      
    window.location.href=target;
  }
 else  {
//   alert(" cookies enabled - move on");
//   checkCookie();
  }
} 

</script>
[download]