Beefy Boxes and Bandwidth Generously Provided by pair Networks
Keep It Simple, Stupid

Cookie not being set

by Indomitus (Scribe)
on Jun 24, 2002 at 04:14 UTC ( [id://176684]=perlquestion: print w/replies, xml ) Need Help??

Indomitus has asked for the wisdom of the Perl Monks concerning the following question:

I'm trying to set a cookie for a website I'm creating and I'm having a heck of a time. It was working fine and somewhere in my changing things, I've broken the cookie code and can't figure out how. Here's the relevant code:
my $ucookie = new CGI::Cookie(-name=>'userpass', -value=>$userpass, -path=>'/', -domain=>'' -expires=>$expiry, ); my $new_url = "".$curr_page; print header(-cookie=>$ucookie, -location=>$new_url);
When I run the script that sets the cookie, it just doesn't get set. No errors, nothing. It worked fine before and I've checked my browser settings. To debug I printed the normal header and had the cookie header print out on the screen and it looked okay. I've also tried just setting a basic cookie with only the name and value as plain text and still nothing. Is there any way to see errors being generated that would cause the cookie not to be set? I'm pretty much stumped at this point. Thanks.

Replies are listed 'Best First'.
Re: Cookie not being set
by grep (Monsignor) on Jun 24, 2002 at 04:26 UTC
    Have you tried other browers? Are you using IE6?

    IE6 with the default security setting (or anything above Low Secuity) will reject cookies from site without a P3P policy and P3P CPP headers.

    If you do not have a P3P policy (an unapproved standard deemed necessary by our malevolent dictator in Redmond) for your site you should (or your users will experience the problem I stated above). You can readup on P3P at W3C. W3C also provides a P3P Validator

    As a side note - do not store usernames and passwords in a cookie, this is a security hole (that has been experienced at some well-know sites :) ). You might want to setup a sessionid for that user and reference (and expire) that id

    Ovid's excellent CGI programming course addresses cookies and security concerns

    Just me, the boy and these two monks, no questions asked.
      This isn't entirely accurate. Only third party cookies without a P3P are blocked at the default setting for IE6. It takes a setting of "High" to block 1st party cookies (what this example would be) for a site without a P3P.


      do not store usernames and passwords in a cookie, this is a security hole
      Could you explain why or point me to a node to look at?
      You might want to setup a sessionid for that user and reference (and expire) that id
      How would be a good way to go about doing this.


        Here is one node and another that hits closer to home. Other than that I imagine you can search.

        As for you session question - if you are using Apache, Apache::Session IIRC will handle it all for you. If not - a simple setup would be session table in your DB with username, timestamp, and session id. Then check for that sessionid (passed either as a param or cookie) and see if it expired

        Just me, the boy and these two monks, no questions asked.

        There are several reasons why this is a security hole.

        • Assuming this is not sent over SSL, someone could sniff the traffic and, since this is sent in plaintext, they can see your user's passwords.
        • This is usually stored on the user's computer, so someone else with physical access to their machine can get this data.
        • Cross-site scripting attacks can often read cookie data and send it somewhere else, thus allowing yet another way to compromise the user's data.

        Never fear, these things become second-nature after you work with the Web for a while :)


        Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.

Re: Cookie not being set
by little (Curate) on Jun 24, 2002 at 07:25 UTC

    your call

    print header(-cookie=>$ucookie, -location=>$new_url);

    is wrong, try this
    print redirect( -uri=>$new_url, -cookie=>[$ucookie] );
    If you want to fullfill that with header() you must also supply a HTTP-Status code, eg. 302 Moved or 303 See Other.

    Have a nice day
    All decision is left to your taste
Re: Cookie not being set
by Ryszard (Priest) on Jun 24, 2002 at 09:10 UTC
    Useful tip: Use mozilla. With mozilla you can view the values of the cookies using the browser functionality. You can also make it so it warns if you a cookie is being set.

    I've experienced similar problems, my problems were around the domain and path settings..

    Also if you're using CGI::Application you might want to use redirect rather than using header.

    As previously mentioned, you should never, ever, ever put information in your cookie other than a session id, which is mapped to the user serverside. All the information you require, can and should be stored serverside.

Re: Cookie not being set
by caedes (Pilgrim) on Jun 24, 2002 at 04:45 UTC
    I think we really need more information than you are giving us (such as the rest of your script). My suggestion would be to get a client that can show you the HTTP headers (cURL for instance), and make sure that the script and server are sending the browser exactly what you want it to.


Re: Cookie not being set
by rdfield (Priest) on Jun 24, 2002 at 10:48 UTC
    If you're using IE6, you can see the cookie "arriving" at the client by setting the advanced privacy settings (Tools->Internet Options->Privacy->Advanced) to "prompt". This will show a dialog box the first time a cookie is sent to the browser, so you can check the details. I suspect that your domain setting is wrong and the browser is completely ignoring the cookie (ie there will be no prompt). If that is the case try sending the cookie without the domain set and see if the prompt appears.


Re: Cookie not being set
by cLive ;-) (Prior) on Jun 24, 2002 at 08:37 UTC
    Not this is it?

    cLive ;-)


Re: Cookie not being set - FIXED
by Indomitus (Scribe) on Jun 24, 2002 at 16:18 UTC
    Thanks a lot for everybody's help. I changed over to using CGI rather than CGI::Cookie and I also changed to use redirect rather than header and now everything looks like it's working fine. I don't know it seemed to be working before, that's weird.

    btw, I'm not sending the password in the cookie, it's another string that just identifies the user. I only call it userpass since in my original code I was sending the password. I've learned the error of my ways though.
      Your problem may have been that in the cookie you have to set:
      domain => ""

      In the browser, if you just have the "" without the "www." it won't work. The dot in 'domain => "" requires that a name is in front of "".

      For example: "" <-- Will work
      "" <-- Will NOT work

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://176684]
Approved by theorbtwo
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others exploiting the Monastery: (6)
As of 2024-05-21 01:05 GMT
Find Nodes?
    Voting Booth?

    No recent polls found