The code runs on Apache, the next script doesn't pick up the cookie (and I wrote the next script so I know how it works), two different browsers with prompt for cookie acceptance turned on don't prompt. Does that count as enough third party testing?

1st party (server) asks that the cookie be set ->
2nd party (web browser) gets that request and either sets the cookie or not then gets redirected ->
3rd party (web server other cgi) asks for and gets the cookie if the 2nd party feels that the cookie should be sent.

Have you verified by looking at the header of the output of the 1st script directly that the cookie is in the header and well formed or not. Take the excess steps out of the loop and verify the simple question is the set cookie coming across in the header of the the first request. this reduces the amount of variables (did the browser for soem reason disregard the cookie? was the header malformed? is it a security scope problem? is your version of CGI.pm broked and not building the header correctly?)

It should look something like this:

et-Cookie: NAME=VALUE; expires=DATE;
path=PATH; domain=DOMAIN_NAME; secure
[download]



-Waswas

I am self-taught and don't always grok the terminology but I printed a text header prior to the execution of the snippet and got this:

login - approved
1000
/cgi-bin/hs/assessment_recs.pl
HTTP/1.1 302 Moved
Server: Microsoft-IIS/4.0
Status: 302 Moved
Set-Cookie: hs_ident=1000; path=/
Date: Wed, 06 Aug 2003 20:25:36 GMT
Location: http://192.168.9.9/cgi-bin/hs/assessment_recs.pl
[download]

g_White