Scott Hanselman

Obscure Bug: ASP.NET doesn't handle cookies with non-standard server names

January 13, 2006 Comment on this post [4] Posted in ASP.NET | Bugs
Sponsored By

Jon Box ran into a crazy bug today with ASP.NET, IIS and Cookie handling. These are my favorite bugs. I love sniffing HTTP traffic; not sure why.

I had thought that his cookie was being dropped due to a missing P3P privacy policy. Turns out, it seems, that his server name was like SERVER_NAME and that an underscore is outside of the RFC guidelines, specificaly RFC 1034 and RFC 1035. His IIS support guy at Microsoft pointed to Q222823 that mentions a warning message you'd get when naming your server in this non-standard way:

"The computer name "computer name" contains one or more non-standard characters. Standard characters include letters (A-Z, a-z), digits (0-9), and hyphens. Using a non-standard name will prevent other users from finding your computer on the network, unless your network is using the Microsoft DNS Server. Do you wish to use this non-standard name?"

The conclusion is that ASP.NET doesn't handle cookies properly unless the DNS name of the server in question is within specifications for standard naming. Seems obivous in retrospect, but the fact that the cookie is just dropped doesn't automatically lead one to this conclusion. Kudos to Jon for sticking to the problem. If he posts more details on his blog, I'll add a link.

UPDATE: Looks like it's IE, not ASP.NET, and for security purposes. Thanks Jeff Berkowitz!

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Hosting By
Hosted in an Azure App Service
January 13, 2006 10:58
I had exactly the same issue a few year ago. I was pulling my hair why my cookie wasn't working and it happened to be this issue. Changing the name of the machine certainly solved the problem. It took me pretty much the whole day to find the solution...
January 13, 2006 14:11

I encountered the same problem in the days before .Net.
We traced it to the underscore in the name, but it was Internet Explorer that would not accept the cookies from this server name.

Worse than that, whilst trying to fathom the problem, we had one older version of IE that would, and the newer more secure version that would not which proved to be a real red herring.

January 13, 2006 19:01
Similar problem in a pre .NET ASP environment. In this scenario, we were adding sites to the Trusted Zone. If instead of adding the ServerName to the Trusted Zone, we used the IP Address, everything worked OK.

January 14, 2006 2:52
This bug (really "intentional breaking change") was a documented consequence of a security fix:;EN-US;q312461


Comments are closed.

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.