[OT] 302 redirect after login result cookie lost?

Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Hi,

i have a perl app that behaves strange. it happens when i try to login and then redirect to the front page upon success.
the problem is that the cookie is somehow lost. strange thing is that it works for firefox but not IE.

code is simple as:

           my $cookie = $q->cookie(
                -name    => 'auth_tkt',
                -value   => $tkt,
                -expires => '+1h',
            );
           $q->redirect( -uri => $uri, -cookie => $cookie );
[download]

here is FF header:

POST /app/account/process_login HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.7
+) Gecko/20070914 Firefox/2.0.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9
+,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.example.com/app/account/login
Content-Type: application/x-www-form-urlencoded
Content-Length: 40
back=&username=testuser&password=1234567
HTTP/1.x 302 Found
Date: Fri, 12 Oct 2007 00:39:23 GMT
Server: Apache/1.3.36 (Unix) mod_auth_tkt/2.0.0rc2 mod_perl/1.29
Set-Cookie: auth_tkt=YTg3OWYyZjVlYmQ5ZTllM2Q3NWExNzdmMTRhMjI3ZGI0NzBlY
+zIzYnRlc3R1c2VyITI%3D; path=/; expires=Fri, 12-Oct-2007 01:39:23 GMT
Location: /app
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/plain
----------------------------------------------------------
http://www.example.com/app

GET /app HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.7
+) Gecko/20070914 Firefox/2.0.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9
+,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.example.com/app/account/login
Cookie: auth_tkt=YTg3OWYyZjVlYmQ5ZTllM2Q3NWExNzdmMTRhMjI3ZGI0NzBlYzIzY
+nRlc3R1c2VyITI%3D

HTTP/1.x 200 OK
Date: Fri, 12 Oct 2007 00:39:24 GMT
Server: Apache/1.3.36 (Unix) mod_auth_tkt/2.0.0rc2 mod_perl/1.29
Keep-Alive: timeout=15, max=98
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=ISO-8859-1
----------------------------------------------------------
[download]

here is IE header

POST /app/account/process_login HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, applicati
+on/msword, application/x-shockwave-flash, application/vnd.ms-excel, a
+pplication/vnd.ms-powerpoint, */*
Referer: http://www.example.com/app/account/login
Accept-Language: en-us,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .N
+ET CLR 1.0.3705; .NET CLR 1.1.4322)
Host: www.example.com
Content-Length: 40
Connection: Keep-Alive
Cache-Control: no-cache

back=&username=testuser&password=1234567

HTTP/1.1 302 Found
Date: Fri, 12 Oct 2007 00:01:20 GMT
Server: Apache/1.3.36 (Unix) mod_auth_tkt/2.0.0rc2 mod_perl/1.29
Set-Cookie: auth_tkt=NmY4ZDFiZDZhODgxZTk0ZTkwNDIyZjU5MmRmNGMwY2Q0NzBlY
+jk1MXRlc3R1c2VyITI%3D; path=/; expires=Fri, 12-Oct-2007 01:01:21 GMT
Location: /app
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/plain

GET /app HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, applicati
+on/msword, application/x-shockwave-flash, application/vnd.ms-excel, a
+pplication/vnd.ms-powerpoint, */*
Referer: http://www.example.com/app/account/login
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .N
+ET CLR 1.0.3705; .NET CLR 1.1.4322)
Host: www.example.com
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Fri, 12 Oct 2007 00:01:21 GMT
Server: Apache/1.3.36 (Unix) mod_auth_tkt/2.0.0rc2 mod_perl/1.29
Keep-Alive: timeout=15, max=98
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=ISO-8859-1
[download]

Comment on [OT] 302 redirect after login result cookie lost? Select or Download Code

Replies are listed 'Best First'.
Re: [OT] 302 redirect after login result cookie lost? by atemon (Chaplain) on Oct 12, 2007 at 02:49 UTC
Hi, Sorry to say that you can not set cookie for redirection. The redirection header is `Status: 302 Moved Location: www.my-redirected-domain.com # uri in $q->redirect will come + here` [download] I.e. server is instructing the user agent (browser) that the url now looking for is moved (302) to the new location asnd please look at the new location for the page. The referrer has nothing to do with new page. So if you want to set cookie for the new page, you need to set it in the new page itself, NOT in the referrer. You may send some parameters to the new page to set cookies for that page. --VC There are three sides to any argument..... your side, my side and the right side.	[reply] [d/l] [select]
Re^2: [OT] 302 redirect after login result cookie lost? by tinita (Parson) on Oct 12, 2007 at 12:31 UTC
Sorry to say that you can not set cookie for redirection. i looked into the RFC and couldn't find any statement that forbids that: http://www.faqs.org/rfcs/rfc2616.html besides that (which is of course no proof) my ie4linux, opera, firefox, lynx and w3m can do it.	[reply]
Re: [OT] 302 redirect after login result cookie lost? by Anonymous Monk on Oct 12, 2007 at 14:32 UTC
Old and annoying problem. MSIE ignores Cookies when redirecting a POST request via HTTP. Return an HTML page with a javascript or meta redirection and it will work. Alexander	[reply]
Re: [OT] 302 redirect after login result cookie lost? by tinita (Parson) on Oct 12, 2007 at 12:26 UTC
well, a simple example worked for me on ie4linux 6.0. `use strict; use warnings; use CGI; use CGI::Cookie; my $cgi = CGI->new; my $w = $cgi->param('w') \|\| 'start'; my $number = $cgi->param('num') \|\| 23; if ($w eq 'start') { print $cgi->header; print "<pre>print $ENV{HTTP_COOKIE}</pre>"; print qq{<a href="/test/cookie_redir.pl?w=cookie">cookie</a>}; } elsif ($w eq 'cookie') { my $cookie = CGI::Cookie->new(-name => 'ID', -value => $number); print $cgi->redirect( -uri => '/test/cookie_redir.pl?w=start', -cookie => $cookie, ); }` [download] call it: script.pl?w=cookie;num=1234 edit: sorry, didn't get the POST. i tried my script with POST and it still works on IE.	[reply] [d/l]
Re: [OT] 302 redirect after login result cookie lost? by jhourcle (Prior) on Oct 12, 2007 at 12:07 UTC
Instead of using an HTTP redirect, you can use an HTML meta refresh. Sure, there was a time when not all browsers supported it, but that was 10 years ago.	[reply]
Re: [OT] 302 redirect after login result cookie lost? by Anonymous Monk on Oct 12, 2007 at 19:19 UTC
just let everyone know that if i set expire time to '+2h', the cookie is set correctly on IE and FF. once set back to '+1h' it stop working..	[reply]
Re^2: [OT] 302 redirect after login result cookie lost? by thoglette (Scribe) on Apr 28, 2009 at 04:47 UTC
The answer is in The HTTP 1.0 standard per http://www.w3.org/Protocols/rfc2109/rfc2109 in section "4.3.5 Sending Cookies in Unverifiable Transactions" says that cookies should not be set from unverifiable transactions. It states specifically that "Unverifiable transactions typically arise when a user agent automatically requests inlined or embedded entities or when it resolves redirection (3xx) responses from an origin server." So, "Set-Cookie" is not to be acted upon by browsers / user agents for 3xx redirects. Nothing in HTTP 1.1 changes this part of HTTP. http://www.ietf.org/rfc/rfc2965.txt doesn't really change this Thanks to http://www.persistall.com/archive/2008/01/25/cookies--redirects--nightmares.aspx http://jhottengineering.blogspot.com/2009/02/ie-post-and-redirect-errors.html Butlerian Jihad now!	[reply]


Think about Loose Coupling
	PerlMonks