<rant>

Among meryln's articles is a very good recent one on cookie management. The article lays out a scheme for handling login/logout by "branding" a browser with a random token that is then used on the server side for access user info and state.

To initially brand the browser, the script first verifies that it isn't looping, then generates a cookie, and next redirects to itself to set the cookie by doing 

  param("_cookiecheck", 1);   # prevent infinite loop
  print redirect (-cookie => $cookie, -uri => self_url());

[download]
Pretty straightforward.

So straightforward that I just burned up 3 hours trying to get it working on IIS, including 1 hour of reconfiguring IIS to save additional info in its logs (IIS will save cookies in the logs, if you know how to ask) and carefully comparing what I thought the script should be doing against what I was seeing on the browser and in the logs.

The redirect was working; _cookiecheck=1 was showing up in the URL, but no cookie was set... until after I acknowledged the form that the script later displays to nag the user into enabling cookies. Huh? Where'd the original cookie go?

Inspecting the relevant parts of CGI.pm and CGI::Cookie.pm shed no light, though they suggested a few avenues for debugging, which -- after another hour of head scratching -- all grounded out.

Then it finally flashed on me to use Google. A search for "iis cgi redirect cookie" turned up this Microsoft KB article, originally written in 1977 1997, which admits that

When a CGI application sends a Set-Cookie header with "302 Object Moved" response and Location header, Internet Information Server (IIS) ignores the cookie header.
Further, they note that this errant behavior is in IIS 3.0, 4.0, and 5.0, and they give no indication that they intend to fix it. As a consolation prize, they mention that by naming your CGIs "nph-*" you can use non-parsed headers, and work around the problem that way.

Thank you, Microsoft.

This may also explain why Microsoft is such an abuser of the the 0 second http-equiv refreshes.

</rant>

In reply to A Rant on IIS Breakage by dws

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.