Scott Hanselman

IE's Content Advisor, PICS Ratings and the ASP.NET Flakey of the Day

April 1, '04 Comments [3] Posted in ASP.NET | Javascript | Bugs
Sponsored By

GOTCHA #1: Here's a crazy thing.  Let me try to paint a word picture for you of the thing I debugged today with the info I was given in the order it was given:

Symptom: "So, Scott, it appears that users using the Content Advisor feature of IE (the one that's there to prevent kids from seeing naughty things) occasionaly and apparently randomly get logged out of our website"

Me: "That sucks."

Additional Information #1: "Turns out the get logged out when we open a new Window with target='_blank' or javascript:window.open."

Me: "That IS weird.  Good luck with that."

Additional Information #2: "With IEHttpHeaders we see that the Forms Authentication Cookie 'disappears' when this new window opens."

Me: "Well that's just kooky talk.  Cookies don't disappear, they are either tossed with the HTTP Header set-cookie directive, or they are not passed in the Http Request."

Additional Information #3: "Well, turns out that when Content Advisor is OFF, the interaction looks like this:

HTTP GET /somefile.aspx
RESPONSE 200
HTTP GET /somethingelse.aspx (we did a javascript.open)
RESPONSE 302 getthisfile.aspx
HTTP GET getthisfile.aspx
RESPONSE 200

But when Content Advisor is ON, we see this:

HTTP GET /somefile.aspx
RESPONSE 200
HTTP GET /somethingelse.aspx (we did a javascript.open)
HTTP GET /
RESPONSE 200
RESPONSE 302 getthisfile.aspx
HTTP GET getthisfile.aspx
RESPONSE 200

Me: "Well, crap. Who or what is asking for '/' in the middle there?  What's the Headers look like?"

Additional Information #4: "Let's see...when the Response to the GET of / comes back...oh...doh, look at that: 

Set-Cookie:AUTHCOOKIE=; expires=Wednesday, 09-Nov-99 10:34:56 GMT;path=/

Me: "Hm...so clearly SOMEONE is tossing that cookie.  Well, the only place we erase that cookie is the login.aspx page.  Say, what's the DEFAULT page for this site?  It's login.aspx you say?  Oy.

CONCLUSION: When the Content Advisor is ON, Internet Explorer will request '/' from a site anytime a new window is opened.  It does this to request and cache the PICS data from either the page or the headers.  Turned out that on our site, when we opened a new window, IE would go and request the default page '/' which is set in IIS as login.aspx...and we had if(!IsPostBack) FormsAuthentication.SignOut() automatically logging folks out to be tidy.  The Content Advisor's overzealous retrieval of our default page logged the user out.  Damned interesting.


GOTCHA #2: One other thing to remember, if you DON'T have a PICS (Platform for Internet Content Selection) header in your Http Headers or as a META tag in your HTML then folks using Content Advisor in IE may not be able to view your site at all.

So, I just added a standard "I'm harmless" PICS header to the project-wide base page (in the OnLoad).

Response.AddHeader("pics-label","(pics-1.1 \"http://www.icra.org/ratingsv02.html\" comment \"ICRAonline EN v2.0\" l r (nz 1 vz 1 lz 1 oz 1 cz 1) \"http://www.rsac.org/ratingsv01.html\" l r (n 0 s 0 v 0 l 0))"

Also, there's a great PICS Rating Generator online as well.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.