In the event that anyone stumbles across this looking for help, I figured I would provide a follow-up. This link is a Microsoft bug report that covers 3 (yup, three!) versions of IIS. It (incorrectly) states that IIS ignores the Set-Cookie header if used with a Location: header. In reality, it passes the Set-Cookie: header but tosses an extra newline in the headers prior to the status line.

merlyn's comment that he thought IIS might always require nph- headers, while not quite accurate, is pretty close to the mark. I discovered that merely trying to generate a Status: header had the same effect of breaking up the headers.

    print $cgi->header( -cookie => \@cookie,
                        -status => $status );
[download]

The above snippet generated the following:

HTTP/0.9 200 OK
Client-Date: Tue, 26 Dec 2000 20:04:30 GMT
Client-Peer: 192.168.1.65:80

Status: 403 Forbidden
Set-Cookie: orderTotal=n%2Fa; path=/
Set-Cookie: message=No%20such%20dealer.; path=/
Date: Tue, 26 Dec 2000 21:01:26 GMT
Content-Type: text/html; charset=ISO-8859-1
[download]

It appears that IIS wants to insert its own status code regardless of the status that I provide. Using nph with IIS appears to be desirable due to many bugs.

Incidentally, using the same script with Apache resulted in a 403 Forbidden response, as desired, but failed to send cookies. Is this appropriate? I didn't see anything in the cookie specification that prevents them from being set with a 403 error.

Cheers,
Ovid

Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.