Jon Box ran into a crazy bug today with ASP.NET, IIS and Cookie handling. These are my favorite bugs. I love sniffing HTTP traffic; not sure why.
I had thought that his cookie was being dropped due to a missing P3P privacy policy. Turns out, it seems, that his server name was like SERVER_NAME and that an underscore is outside of the RFC guidelines, specificaly RFC 1034 and RFC 1035. His IIS support guy at Microsoft pointed to Q222823 that mentions a warning message you'd get when naming your server in this non-standard way:
"The computer name "computer name" contains one or more non-standard characters. Standard characters include letters (A-Z, a-z), digits (0-9), and hyphens. Using a non-standard name will prevent other users from finding your computer on the network, unless your network is using the Microsoft DNS Server. Do you wish to use this non-standard name?"
The conclusion is that ASP.NET doesn't handle cookies properly unless the DNS name of the server in question is within specifications for standard naming. Seems obivous in retrospect, but the fact that the cookie is just dropped doesn't automatically lead one to this conclusion. Kudos to Jon for sticking to the problem. If he posts more details on his blog, I'll add a link.
UPDATE: Looks like it's IE, not ASP.NET, and for security purposes. Thanks Jeff Berkowitz!
Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. I am a failed stand-up comic, a cornrower, and a book author.
Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.