FIX: Cookies Can Be Set for Generic Domain Names (217043)


The information in this article applies to:

  • Microsoft Internet Explorer (Programming) 2.0
  • Microsoft Internet Explorer (Programming) 2.01
  • Microsoft Internet Explorer (Programming) 2.1
  • Microsoft Internet Explorer (Programming) 3.0
  • Microsoft Internet Explorer (Programming) 3.01
  • Microsoft Internet Explorer (Programming) 3.02
  • Microsoft Internet Explorer (Programming) 4.0
  • Microsoft Internet Explorer (Programming) 4.01
  • Microsoft Internet Explorer (Programming) 4.01 SP1
This article was previously published under Q217043

SYMPTOMS

Web sites with a country suffix may be sent unwanted cookies from the client browser.

CAUSE

When you set cookies, the domain name should contain at least two periods and match the domain name of the server setting the cookie. This way an organization can set cookies for its company only, for example, ".microsoft.com". Many browsers, including all versions of Internet Explorer prior to 5.0 do not account for a country suffix. This allows the setting of cookies for generic domain names such as ".com.au" or ".co.uk".

STATUS

Microsoft has confirmed that this is a bug in the Microsoft products that are listed at the beginning of this article. This bug was corrected in Internet Explorer 5.0.

MORE INFORMATION

The sending of unwanted cookies can cause problems with sites that impose strict security measures. Sites that use firewalls or ISAPI filters to check incoming request properties, such as the request header size or the cookie length, may reject requests containing these unexpected cookies.

To reproduce this problem add the following code to an Active Server Pages (ASP) page on an Internet Information Server (IIS) Web server. 
Response.Cookies("ckGeneric") = "CookieBody"
Response.Cookies("ckGeneric").Expires = "2001/12/31"
Response.Cookies("ckGeneric").Domain = ".com.au"
Response.Cookies("ckGeneric").Path = "/"
Access this page from a browser using a fully qualified domain name that includes the ".com.au" suffix. The cookie will be set on your machine (you can check this in the folder that stores the cookies on your browser and operating system). Start a network trace on your machine and access any site ending in the ".com.au" suffix. You will notice in the HTTP request header that the ckGeneric cookie is being sent in every request.
Modification Type:MajorLast Reviewed:10/16/2002
Keywords:kbBug kbie500fix KB217043
©2002 Microsoft Corporation. All rights reserved.