annoying duplicate cookies

JK_Bean has asked for the wisdom of the Perl Monks concerning the following question:

My web site uses one cookie. However when I inspect the value of $ENV{'HTTP_COOKIE'} using the perl code, I sometimes get more than one instance of the cookie (with the same EXACT name), which may or may not have the same value. For example the value of $ENV{'HTTP_COOKIE'} might be something like: foo=bar1; foo=bar2

I have tried wriing the cookie from the server side perl code and I have tried writing the cookie by javascrypt on the client's PC. Either way can yield the duplicate cookie problem. Even code written in javascrypt with "; path=/" at the end still can eventually yeild 2 cookies.

When I get the duplicate cookie the correct one (i.e. the most current write) is sometimes the 1st one, and sometimes the 2nd. So far I have never seen more than 2 with the same name. The problem can sometimes take several days before it shows itself. The site is currently keeping a record of all visitor's cookies for the site. When I look at this file I can see that 7 out of about 250 of the memebers that log in have this problem and the number having this problem increases now and then.

Does anyone know the mechanism that is causing duplicate cookies, and what to do to stop it? Thank you in advance for anyone that can offer a real solution.

Comment on annoying duplicate cookies Select or Download Code

Replies are listed 'Best First'.
Re: annoying duplicate cookies by nardo (Friar) on Jun 24, 2001 at 21:57 UTC
According to netscape's cookie specification When sending cookies to a server, all cookies with a more specific path mapping should be sent before cookies with less specific path mappings. For example, a cookie "name1=foo" with a path mapping of "/" should be sent after a cookie "name1=foo2" with a path mapping of "/bar" if they are both to be sent. So if you're getting more than one cookie with the same name, the first one is the one you should probably be paying attention to. Update It's also possible that someone is having the cookie set at yourdomain.com and www.yourdomain.com which would cause it to be sent twice to www.yourdomain.com if you don't set the DOMAIN property of the cookie.	[reply]
Re: annoying duplicate cookies by eejack (Hermit) on Jun 24, 2001 at 20:36 UTC
If you would be so kind as to post the code that you are using to read the cookies then perhaps someone could help. It is not possible to have two cookies with the same name and same path stored in one browser. It is possible for one user to log in from two different browsers or machines giving the appearance of two cookies, or you might have a case (or errant character) problem with foo, or you might have two foos with different paths (not even sure this is possible but in theory it should be). However, without some code to look at I suspect most folks will just be guessing. EEjack	[reply]
Re: Re: annoying duplicate cookies by cLive ;-) (Prior) on Jun 25, 2001 at 01:55 UTC
"It is possible for one user to log in from two different browsers or machines giving the appearance of two cookies" 'fraid that's a Red Herring. Each browser request is independent, so how could a second browser send a cookie from the first? If they are seperate browser windows of the same browser, then the problem is still equivalent to there being one browser. cLive ;-)	[reply]
Re: annoying duplicate cookies by JK_Bean (Novice) on Jun 24, 2001 at 21:45 UTC
Unfortunately it is all too possible to have 2 cookies with an identical name. I'm not the only one that I've heard of with this problem. I do believe the problem is related to how the browser handles the path, but when you read a cookie, you have no control over that (unless you can correct me on this). I already posted the code I use to reed the cookie. I simply use `$ENV{'HTTP_COOKIE'}`. That returns a string containing all the cookies for that site on the user's browser. Also, there is no case problem or errant character with the name. I wish it were that somple. I am aware that a user can log in from more than one PC, but my site only keeps the most recent cookie image from that user as a snap shot, so I don't store a cookie from each PC. Also note that for the cookie I use, I set the expiration to 1 year, so the cookie hangs around for a lot longer than many cookies do. If you use cookies, you may be having this problem, but aren't aware of it either because your expiration is so short, or an old duplicate cookie won't cause problems in your code. The code to write the cookie is... `. . $co = new CGI; . . . $newunp = join('\|',@batch); $ck_unp = $co->cookie( -name=>'unp', -value=>$newunp, -expires=>'+365d' ); print $co->header(-cookie=>$ck_unp); . .` [download] Again, thanks for any help.	[reply] [d/l] [select]
Re: Re: annoying duplicate cookies by eejack (Hermit) on Jun 24, 2001 at 22:50 UTC
Nardo brings up a good point about the domain portion of the cookie...one I haven't run into because I redirect .domain.com to www.domain.com on all my servers. As far as I can determine you cannot access the path or domain portion of the browsers cookie, to set yes, to read no. Assuming it is the domain portion that might be a problem, you could force everyone into either www.domain.com or domain.com - that should eventually solve the problem. But even if you go through and expire all the cookies of folks who log on, and rewrite them in a very exact way, it still might take a year to eliminate them all. You might want to add a path and domain to where you are setting the cookies as a start (will not solve the problem of people with duplicates...), that way the browser cannot make it's own determination of those items. But as far as solving it completely I cannot be of assistance. EEjack	[reply]
Re: annoying duplicate cookies by JK_Bean (Novice) on Jun 25, 2001 at 03:11 UTC
Yes Nardo, you win the prize. Thank you!!!!! I was able to recreate the problem on my PC by visiting jkclan.com and www.jkclan.com. This in fact triggered the double cookie problem on my PC, whereas before I did not have it on mine personally. I will look into using the DOMAIN property of the cookie. Even tho some of the users have the double cookie, once I have a fix that I'm sure will work, I will cast all the old cookies to a new name and abandon the old ones. This should erradicate the problem. I might even re-write the old ones (after extracting what I can from them) with a expiration date of "yesterday" to delete them. If the domain property can't fix my problem, then I will try redirecting the users from jkclan.com to www.jkclan.com, as EEjack mentioned. Hopefully the first solution will work anyway. Thanks all :o)	[reply]
Re: annoying duplicate cookies by cLive ;-) (Prior) on Jun 25, 2001 at 01:53 UTC
Perhaps you're setting the cookie each time the script is called? Why not check? Say you have a CGI object called $query. Where you set the cookie, add a test for existence: `unless (cookie('sessionID')) { my $cookie = $query->cookie(-name=>'sessionID', -value=>'xyzzy', -expires=>'+1h', -path=>'/'); print $query->header(-cookie=>$cookie); }` [download] That's where I'll bet my dollar :) cLive ;-)	[reply] [d/l]