Cookie不会在IE中更新/覆盖 [英] Cookie not renewing/overwriting in IE

问题描述

我在IE中有一个奇怪的奇怪的cookie。当用户登录到网站时，我将生成一个新的会话ID，因此需要覆盖Cookie。流程基本上是：

1. 客户端转到 https://secure.example.com/users/login 页面，自动接收会话ID


2. 客户端将登录凭据POST到同一地址



3. -cookie标头连同302重新导向至 https://secure.example.com/users/mypage ：

   
   

   CAKEPHP = deleted; expires = Sun，05-Apr-2009 04:50:35 GMT; path = /
   
   CAKEPHP = 98hnIO23 ...; expires = Mon，12 Apr 2010 04:50:36 GMT; path = /;

   
   




4. 客户应访问 https://secure.example.com/users/




此工具适用于所有浏览器，除了IE （在7和8中测试）。 IE保留旧的，未经身份验证的会话ID，并重定向回到登录页面。它在我的本地测试环境中工作（使用 https：// localhost：8443 / ... 下的自签名证书），但不在活动服务器上。 p>



我使用CakePHP，只需发出 $ this-> Session-> renew（）

任何想法如何让IE接受新的cookie？

---

以下是完整的标题：

  HTTP / 1.0 302 Moved Temporarily 
 Date：Thu ，08 Apr 2010 02:54:30 GMT 
服务器：Apache 
到期时间：Mon，26 Jul 1997 05:00:00 GMT 
 Cache-Control：no-store，no-cache，必须重新验证，检查后= 0，预检查= 0 
 Pragma：no-cache 
 P3P：CP =NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM
 Set -Cookie：CAKEPHP = deleted; expires = Wed，08-Apr-2009 02:54:30 GMT; path = / 
 Set-Cookie：CAKEPHP = d55c ...; expires = Thu，15 Apr 2010 02:54:31 GMT; path = /; secure 
 Last-Modified：Thu，08 Apr 2010 02:54:30 GMT 
 Location：https://secure.example.com/users/mypage 
 Vary：Accept-Encoding 
 Content-Length：0 
 Connection：close 
 Content-Type：text / html; charset = utf-8 
  

我想我发现了问题：
IE正在发送两个相同名称的Cookie。这是对服务器的下一个请求：

  GET / users / mypage HTTP / 1.1 
接受：image / gif， image / jpeg，image / pjpeg，image / pjpeg，application / x-shockwave-flash，application / x-silverlight，* / * 
 Referer：https://secure.example.com/users/login 
 Accept-Language：en-gb 
 User-Agent：Mozilla / 4.0（兼容; MSIE 8.0; Windows NT 5.1; Trident / 4.0; .NET CLR 1.1.4322）
 Accept-Encoding：gzip ，deflate 
 Host：secure.example.com 
连接：Keep-Alive 
缓存控制：no-cache 
 Cookie：CAKEPHP = 19c6 ...; CAKEPHP = d55c ... 
  

请注意，它会发送两个Cookie，但也是老的。它在主页 example.com 上接收到旧的，设置为 path = / 。它还将请求发送到 secure.example.com 。它不会被上面的头部替代，而是将它添加为额外的cookie。

解决方案

确保您的基本域名发布了Cookie。

这可能是问题，因为这种行为在不同的浏览器中是不同的。

我没有在cakephp，但这应该工作

I have a weird quirk with cookies in IE. When a user logs into the site, I'm generating a new session id and hence need to overwrite the cookie. The flow is basically:

1. Client goes to https://secure.example.com/users/login page, automatically receiving a session id
2. Client POSTs login credentials to same address

3. Client receives the following set-cookie headers together with a 302 redirect to https://secure.example.com/users/mypage:

   CAKEPHP=deleted; expires=Sun, 05-Apr-2009 04:50:35 GMT; path=/
   CAKEPHP=98hnIO23...; expires=Mon, 12 Apr 2010 04:50:36 GMT; path=/; secure

4. Client is supposed to visit https://secure.example.com/users/mypage, presenting the new session id.

This works in all browsers, except IE (tested in 7 & 8). IE retains the old, unauthenticated session id, and is redirected back to the login page. It works on my local test environment (using a self-signed certificate at https://localhost:8443/...), but not on the live server.

I'm using CakePHP and simply issue a $this->Session->renew(), which produces the above cookie headers.

Any ideas how to get IE to accept the new cookie?

---

Here's the complete header:

HTTP/1.0 302 Moved Temporarily
Date: Thu, 08 Apr 2010 02:54:30 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: CAKEPHP=deleted; expires=Wed, 08-Apr-2009 02:54:30 GMT; path=/
Set-Cookie: CAKEPHP=d55c...; expires=Thu, 15 Apr 2010 02:54:31 GMT; path=/; secure
Last-Modified: Thu, 08 Apr 2010 02:54:30 GMT
Location: https://secure.example.com/users/mypage
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8

I think I have found the problem: IE is sending two cookies of identical name. Here's the next request to the server:

GET /users/mypage HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-silverlight, */ *
Referer: https://secure.example.com/users/login
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322)
Accept-Encoding: gzip, deflate
Host: secure.example.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: CAKEPHP=19c6...; CAKEPHP=d55c...

Notice that it sends two cookies, the one it received after logging in, but also the old one. It received the old one at the main page example.com, set with path=/. It's also sending it for requests to secure.example.com. It doesn't get replaced by the above header, instead it adds it as additional cookie. How can I stop it from doing that?

解决方案

Make sure the cookies are emitted for your base domain.

That's v. likely the problem, since this behavior certainly varies in different browsers.

I haven't done it in cakephp, but this should work

这篇关于Cookie不会在IE中更新/覆盖的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！