Forum OpenACS Development: Cookie problems in IE on very old version of OACS

I have a really, really strange situation here.

I moved a very old 3.x based site from an old Linux server to a new one. This involved upgrading a number of things, including AOLserver (because I couldn't get the old version to build, and it didn't seem worth the effort to try). I thought everything was working fine until we discovered that IE users can't log in. No problem for Safari or Firefox, just IE.

I traced it down to the ad_session_id cookie. If one is using a sane browser, the cookie is written like so:

24698311,8645,aWDAN94COzn2OJxUFsMysXGu8EwX0FLr,1253291978; Path=/; Max-Age=86400

and read back as


However, if one is using the devil's browser :), it gets written properly:

24700551,8645,izOJSRoH5HeejpBwNjQm7Y1BugyQSaJk,1253291697; Path=/; Max-Age=86400

but reads back like this:


Two things have changed - the user_id is now zero, and the last_issue timestamp has increased.

I know this looks like it is being written again somewhere else, but I've examined every instance of ad_session_id everywhere in the code (it only appears in tcl/ad-security.tcl) and put an ns_log statement in ad_set_cookie and there is no sign of it being set again. I have read it back right after setting and it is correct at that point.

It really makes no sense; it looks like there must be some code rewriting the cookie that I have not found, but how could that possibly happen only for Internet Explorer???

Has anyone run into anything like this? I have Googled, but nothing even remotely similar is coming up.

I have IE 7; the client says they have also verified it happens with IE 8.

Posted by Dave Bauer on
I like to setup wireshark/ethereal and capture the HTTP traffic. This will usually show you where the cookies get set. I recall something like this that had to do with subdomains but I don't remember the details.
Posted by Torben Brosten on
iirc, there's an exception/special-case in the code somewhere for IE regarding cookies.

If I know what version of OpenACS you're running, I might be able to track down whether or not that version includes the case, and if not perhaps a fix..



Posted by Torben Brosten on
Check versions of __ad_verify_signature ..
Posted by Janine Ohmer on
It's based on OpenACS 3.2.5, but somewhat modified (and mostly not by me).

I don't seem to have ad_verify_signature. What file is it supposed to be in?

What happens is that the user goes to ecommerce/checkout.tcl, and ad_verify_and_get_user_id sends them off to log in. The ad_session_id cookie is written properly at this point (I have read it back and verified that it is correct). Then they go back to checkout.tcl, which calls ad_verify_and_get_user_id which should succeed this time, but does not because when that cookie is read back in this time, the user_id is set to zero as you can see in my original post (it is the second field, delimited by commas).

It seems logical that something else is messing with it in the meantime, but I cannot figure out where that's happening.

I have grepped the code for IE-specific stuff but didn't find anything cookie-related. If you know of something, please let me know.

Dave's suggestion of watching the HTTP traffic is probably my best bet at this point.

Thanks guys - if you come up with anything else, I'm all ears (eyes? :).