Weirrd Cookie Problems

batkins has asked for the wisdom of the Perl Monks concerning the following question:

I'm having very strange cookie problems with one of my sites. I can log on fine from IE, Opera, and Mozilla, but only IE seems to accept my cookie. I have no idea why this is happening. It's been going on for a little while now, but my site gets pretty much no traffic and what little traffic it gets is from IE, so this never used to be an issue.

Here's the code I use to authenticate a user:

sub authenticate 
{ 
    my ($user, $pass); 
    if($query->param("user")) 
    { 
        $user = $query->param("user"); 
        $pass = md5_hex($query->param("pass")); 
    } 
    elsif($query->cookie("lyr_bat")) 
    { 
        ($user, $pass) = split /-/, $query->cookie('lyr_bat'); 
    } 

    if($user and $pass) 
    { 
        my $users = $conn->query("SELECT * FROM lyr_users WHERE user =
+ ?", $user); 
        if($pass eq $users->field("pass")) 
        { 
            $users->field("last_logon", time); 
            $users->update("id"); 
            $cur_user = $user; 
            return $query->cookie(-name => 'lyr_bat', -value => "$user
+-" . $users->field("pass"), -expires => '+10m', -path => '/') unless 
+$query->param("node") eq "logout"; 
         } 
     } 
     if($query->param("node") eq "logout") 
     { 
         if($user) 
         { 
             my $users = $conn->query("SELECT * FROM lyr_users WHERE u
+ser = ?", $user); 
             $users->field("last_logon", 0); 
             $users->update("id"); 
         } 
         $cur_user = undef; 
         return $query->cookie(-name => 'lyr_bat', -value => ''); 
     } 
     return []; 
}
[download]

Basically it just authenticates the user and if the authentication is successful, the username is saved in $cur_user. The return value of the sub is an anonymous array suitable for passing to CGI::header. The code definitely authenticates properly because I can log in. It's the saving of the cookie that causes the problem. The code that actually prints the header is:

my $cookie = authenticate(); 
print $query->header(-cookie => $cookie);
[download]

I'm at a loss here. I'd appreciate any help. BTW, I've tried removing the -path and -expires section: no dice.

TIA,
Bill

Comment on Weirrd Cookie Problems Select or Download Code

Replies are listed 'Best First'.
Re: Weirrd Cookie Problems by antirice (Priest) on Aug 22, 2003 at 00:52 UTC
Add the -domain option. Hope this helps. antirice The first rule of Perl club is - use Perl The ith rule of Perl club is - follow rule i - 1 for i > 1	[reply]
Re: Re: Weirrd Cookie Problems by batkins (Chaplain) on Aug 22, 2003 at 01:08 UTC
Same deal. Thanks, though.	[reply]
Re: Re: Re: Weirrd Cookie Problems by antirice (Priest) on Aug 22, 2003 at 01:28 UTC
Hmmm... upon further inspection, it appears that something is putting a space before Set-Cookie: in the response header. Here's what I got when I used my magic request application written by a man I met in the subway one day: GET /index.pl?user=antirice&pass=something_or_another HTTP/1.1 Host: lyrics.batkins.com HTTP/1.1 200 OK Date: Fri, 22 Aug 2003 01:24:00 GMT Server: Apache/1.3.27 (Unix) mod_auth_passthrough/1.6 Chili!Soft-ASP/3 +.6.2 mod_log_bytes/1.2 mod_bwlimited/1.0 PHP/4.3.2 FrontPage/5.0.2.25 +10 mod_ssl/2.8.14 OpenSSL/0.9.6b Set-Cookie: lyr_bat=antirice-some_pass_md5_checksum; domain=lyrics.ba +tkins.com; path=/; expires=Fri, 22-Aug-2003 01:34:11 GMT Transfer-Encoding: chunked Content-Type: text/html; charset=ISO-8859-1 [download] Check out the version of CGI you are using. I'm using 2.81 and it doesn't have such a space. Of course, it may be from the server string before it. Either way, this is probably the cause. Hope this helps. antirice The first rule of Perl club is - use Perl The ith rule of Perl club is - follow rule i - 1 for i > 1	[reply] [d/l]
Re: Weirrd Cookie Problems by cees (Curate) on Aug 22, 2003 at 03:47 UTC
Try it without the -expires option and see if it works. You are using an expiry of 10 minutes which is not very long. A discrepancy between your server clock, and your clients workstation clock could expire the cookie immediately. Remember that it is up to the Client to decide when the cookie should be expired, and it will use it's own clock to decide that. One way around this problem is to always use the clients time to set expiry times in your cookies. That means using a little bit of JavaScript on your login page to get the workstation's idea of what time it is, and set the expiry at 10 minutes plus that time. I believe that some servers pass a Date: header in the response (apache does), but I do not know if client side browsers actually use this header to determine cookie expiry timeouts. I would be interested to know if someone has any details on that. - Cees	[reply]