chrispoole has asked for the wisdom of the Perl Monks concerning the following question:

I have a (CGI) login system (using htpasswd and cookies to track a session) that works fine with Moz (freebsd) and ie5 (win), but not lynx or ie6 and possibly others.. (doesn't set cookie, forcing user to re-login because it checks for cookie id to make sure server and client (cookie) id match).

Anyone had similiar cookie strangeness? (I'm not using absolute urls, but that shouldn't affect it, should it?)

Chris

Replies are listed 'Best First'.
Re: Another cookie question..
by growlf (Pilgrim) on Apr 23, 2002 at 03:18 UTC
    Though at first glance this is not strictly a 'Perl' question, you might want to look at Apache-Htpasswd-1.5.3 and Apache-AuthCookie-3.00 for some better tools. Also, are you not using the CGI module? It has built in cookie support that works well with most all browsers (as long as the browsers have cookies turned ON to begin with)

    I tend to lean towards (re)using code more than roling my own. Call it ambitious laziness, but it also gets the job done faster, and frequently better.

    *G*

[reply]
      Yep I'm using standard CGI module. Using its built in cookie support. Maybe I should opt for a system that uses ip instead of cookies to track sessions? Tah
[reply]
        No way, never do anything like that (i mean, tracking users by IP)! You cannot track users by IP because there can be several users from a same IP (proxy-firewall) or a single user using a different IP for every request (when he got multiple proxies he can use in a round-robin fashion)
        Cookie is the right way to go. I'm pretty sure you don't call your CGI function correctly, so your code produces messed up cookie string. Some code from your program would help to help you.

        $|=$_='1g2i1u1l2i4e2n0k',map{print"\7",chop;select$,,$,,$,,$_/7}m{..}g

[reply]
Re: Another cookie question..
by JayBonci (Curate) on Apr 23, 2002 at 08:06 UTC
    Usually stuff like this is the fault of the computer at hand. In IE turn on cookie prompting and see if you get the prompt. Also clear out all of your cookies and try that again.

    What steps did you come to to conclude that it isn't working with lynx and ie6? Not in the cookie dir? no prompt? etc. Have your page spit out all of the valid cookies for the domain. Is any fraction of it in there? Since you can't have IE5 and IE6 on the same machine at the same time, it strikes me that they may be separate machines. Also shift-refresh in IE to bypass the local cache (and you may want to add a quick localtime() statement to your page to make sure that it's changing. CGI debugging is kind of icky, but good luck with it.

        --jb
[reply]
Re: Another cookie question..
by legLess (Hermit) on Apr 23, 2002 at 18:03 UTC

    Yes IE6 drops cookies, and it's by design. Last I checked IE6 had about 20% of the web, and that's how many people are blocking most cookies by default. This is scary if your site depends on cookies. It doesn't appear to affect cookies set by JavaScript, although I haven't done enough testing to confirm this.

    I had an interesting time with this some months ago. IE6 is the first browser to have any implementation of the Platform for Privacy Preferences (P3P). In short, it's a machine-readable privacy policy implemented by a web site owner and placed on the site for browsers and other UAs to read. You can setup your UA to allow or deny certain actions by the site depending on their policies.

    Microsoft only implements part of the spec (surprise, surprise), although their documentation is pretty good. To set a cookie in IE6, therefore, you need to send a Compact Privacy Policy with your cookie. IE6 will read it and decide whether or not your cookie is acceptable. Our policy looks like this:

        CP="NON DSP COR IND PHY ONL PUR COM INT STA CUR OUR"

    [download]

    There are a few tools that will help you build a policy, but they're first-generation and complicated. IBM has one that's free. There are other reference sites that might help, like P3PToolbox: these folks have a good list of policy generators.

    Sadly, Microsoft has thrown a few dirty flies in the ointment. IE6 does not strictly follow the W3C specification, nor does it comply with Microsoft's own documentation. I've checked this and it's true. The first policy I generated was syntactically valid and conformed to IE6's "acceptable" list, but it was rejected. Microsoft requires you to list the tokens in a specific order for IE6 to accept the policy. The guy who discovered this (or publicized it anyway) has a good online validator for compact policies.

    If you can get one of the tools to work for you - great. I decided to read the spec and come up with my own rather than learn a tool, and it works nicely. Good luck.


    --
    man with no legs, inc.
[reply]
[d/l]

Back to Seekers of Perl Wisdom