Re: Cookie Cached problem

From: SECOVEL (secovel)
Date: 01/06/04


Date: Tue, 6 Jan 2004 09:25:17 -0500

David,

All the pages DO use the same cookie. In fact the cookie is read/written by
code in an included file, so it should be exactly the same. The only
difference that I'm aware of is that the cached page is in a virtual
directory, and all the other pages are in physical directories.
LastAccessed is stored in the CCISESSION cookie. I am doing a
Reponse.AppendToLog to write out the value of LAstAccessed on each page.
Here is a chunk from my log file:

In the first section the user logs in and hits some pages then logs out. He
then waits about 3 min.

#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2004-01-05 15:01:55
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem
cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie)
cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes
time-taken
2004-01-05 17:48:42 W3SVC1355964318 WEBDEV2003 192.168.120.11 GET
/producers/default.asp - 443 - 192.168.120.1 HTTP/1.1
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1)
SaneID=192.168.120.1-9550143590845 http://webdev2003/Producer/ webdev2003sec
200 0 0 281 429 0
2004-01-05 17:48:42 W3SVC1355964318 WEBDEV2003 192.168.120.11 GET
/formslogin.asp /producers/default.asp 443 - 192.168.120.1 HTTP/1.1
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1)
SaneID=192.168.120.1-9550143590845 - webdev2003sec 200 0 0 25558 407 15
2004-01-05 17:48:47 W3SVC1355964318 WEBDEV2003 192.168.120.11 POST
/formslogin.asp /producers/default.asp 443 - 192.168.120.1 HTTP/1.1
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1)
SaneID=192.168.120.1-9550143590845
https://webdev2003sec/formslogin.asp?/producers/default.asp webdev2003sec
302 0 0 586 694 140
2004-01-05 17:48:47 W3SVC1355964318 WEBDEV2003 192.168.120.11 GET
/redirect.asp /producers/default.aspLastAccess:1/5/2004+12:48:47+PM 443
seanagent 192.168.120.1 HTTP/1.1
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1)
SaneID=192.168.120.1-9550143590845;+CCISESSION=USERNAME=seanagent&CT=Produce
rs&DATA=qWJZRb6dgpHaw07AO6o3bQVrrX9THnT4iKMBSIXqSMwYvO04mABP5z9B24vxXO6ceDxW
tzFOakHDa77qqw1Y29vi%2F%2FExs2DXgw%7E%7E
https://webdev2003sec/formslogin.asp?/producers/default.asp webdev2003sec
302 0 0 558 658 78
2004-01-05 17:48:47 W3SVC1355964318 WEBDEV2003 192.168.120.11 GET
/producers/default.asp LastAccess:1/5/2004+12:48:47+PM 443 seanagent
192.168.120.1 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1)
SaneID=192.168.120.1-9550143590845;+CCISESSION=USERNAME=seanagent&CT=Produce
rs&DATA=qWJZRb6dgpHaw07AO6o3bQVrrX9THnT4iKMBSIXqSMwYvO04mABP5z9B24vxXO6ceDxW
tzFOakHDa77qqw1Y29vi%2F%2FExs2DXgw%7E%7E
https://webdev2003sec/formslogin.asp?/producers/default.asp webdev2003sec
200 0 0 37740 644 78
2004-01-05 17:48:49 W3SVC1355964318 WEBDEV2003 192.168.120.11 GET
/producers/default.asp LastAccess:1/5/2004+12:48:47+PM 443 seanagent
192.168.120.1 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1)
SaneID=192.168.120.1-9550143590845;+CCISESSION=USERNAME=seanagent&CT=Produce
rs&DATA=qWJZRb6dgpHaw07AO6o3bQVrrX9THnT4iKMBSIXqSMwYvO04mABP5z9B24vxXO6ceDxW
tzFOakHDa77qqw1Y29vi%2F%2FExs2DXgw%7E%7E
https://webdev2003sec/producers/default.asp webdev2003sec 200 0 0 37740 603
62
2004-01-05 17:48:51 W3SVC1355964318 WEBDEV2003 192.168.120.11 GET
/producers/messages/MailListUser.asp
Role=ProducerLastAccess:1/5/2004+12:48:50+PM 443 seanagent 192.168.120.1
HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1)
SaneID=192.168.120.1-9550143590845;+CCISESSION=USERNAME=seanagent&CT=Produce
rs&DATA=qWJZRb6dgpHaw07AO6o3bAJrrX9THnT4iKMBSIXqSMwYvO04mABP5z9B24vxXO6ceDxW
tzFOakHDa77qqw1Y29vi%2F%2FExs2DXgw%7E%7E
https://webdev2003sec/producers/myprofile.asp webdev2003sec 200 0 0 25987
633 140
2004-01-05 17:48:51 W3SVC1355964318 WEBDEV2003 192.168.120.11 GET
/producers/MyAccounts.asp LastAccess:1/5/2004+12:48:50+PM 443 seanagent
192.168.120.1 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1)
SaneID=192.168.120.1-9550143590845;+CCISESSION=USERNAME=seanagent&CT=Produce
rs&DATA=qWJZRb6dgpHaw07AO6o3bAJrrX9THnT4iKMBSIXqSMwYvO04mABP5z9B24vxXO6ceDxW
tzFOakHDa77qqw1Y29vi%2F%2FExs2DXgw%7E%7E
https://webdev2003sec/producers/messages/MailListUser.asp?Role=Producer
webdev2003sec 200 0 0 24754 634 78

In the second section the user logs back in and hits the default page, then
hits the xxx.asp page (MailListUser.asp). You see the old "LastAccess"
date. He then goes back to the default page (new LastAccessed date) and then
back to MailListUser.asp and you see the new date. VERY strange. VERY
bad!!!

2004-01-05 17:52:19 W3SVC1355964318 WEBDEV2003 192.168.120.11 GET
/producers/default.asp - 443 - 192.168.120.1 HTTP/1.1
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1)
SaneID=192.168.120.1-9550143590845
http://webdev2003/GlobalFiles/SignOffMsg.asp webdev2003sec 200 0 0 281 446 0
2004-01-05 17:52:19 W3SVC1355964318 WEBDEV2003 192.168.120.11 GET
/formslogin.asp /producers/default.asp 443 - 192.168.120.1 HTTP/1.1
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1)
SaneID=192.168.120.1-9550143590845 - webdev2003sec 200 0 0 25558 407 0
2004-01-05 17:52:25 W3SVC1355964318 WEBDEV2003 192.168.120.11 POST
/formslogin.asp /producers/default.asp 443 - 192.168.120.1 HTTP/1.1
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1)
SaneID=192.168.120.1-9550143590845
https://webdev2003sec/formslogin.asp?/producers/default.asp webdev2003sec
302 0 0 586 694 140
2004-01-05 17:52:25 W3SVC1355964318 WEBDEV2003 192.168.120.11 GET
/redirect.asp /producers/default.aspLastAccess:1/5/2004+12:52:25+PM 443
seanagent 192.168.120.1 HTTP/1.1
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1)
SaneID=192.168.120.1-9550143590845;+CCISESSION=USERNAME=seanagent&CT=Produce
rs&DATA=qWJZRb6dgpHaw07AOqA3awdrrX9THnT4iKMBSIXqSMwYvO04mABP5z9B24vxXO6ceDxW
tzFOakHDa77qqw1Y29vi%2F%2FExs2DXgw%7E%7E
https://webdev2003sec/formslogin.asp?/producers/default.asp webdev2003sec
302 0 0 558 658 78
2004-01-05 17:52:25 W3SVC1355964318 WEBDEV2003 192.168.120.11 GET
/producers/default.asp LastAccess:1/5/2004+12:52:25+PM 443 seanagent
192.168.120.1 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1)
SaneID=192.168.120.1-9550143590845;+CCISESSION=USERNAME=seanagent&CT=Produce
rs&DATA=qWJZRb6dgpHaw07AOqA3awdrrX9THnT4iKMBSIXqSMwYvO04mABP5z9B24vxXO6ceDxW
tzFOakHDa77qqw1Y29vi%2F%2FExs2DXgw%7E%7E
https://webdev2003sec/formslogin.asp?/producers/default.asp webdev2003sec
200 0 0 37740 644 93
2004-01-05 17:52:27 W3SVC1355964318 WEBDEV2003 192.168.120.11 GET
/producers/messages/MailListUser.asp
Role=ProducerLastAccess:1/5/2004+12:48:51+PMAUOFunctions:AUOIsLoggedOn+++ERR
OR>>>Logging+User+Out:1/5/2004+12:48:51+PM+:+1/5/2004+12:51:51+PM+:+1/5/2004
+12:52:27+PM+:+3 443 seanagent 192.168.120.1 HTTP/1.1
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1)
CCISESSION=USERNAME=seanagent&CT=Producers&DATA=qWJZRb6dgpHaw07AO6o3bANrrX9T
HnT4iKMBSIXqSMwYvO04mABP5z9B24vxXO6ceDxWtzFOakHDa77qqw1Y29vi%2F%2FExs2DXgw%7
E%7E;+SaneID=192.168.120.1-9550143590845;+CCISESSION=USERNAME=seanagent&CT=P
roducers&DATA=qWJZRb6dgpHaw07AOqA3awdrrX9THnT4iKMBSIXqSMwYvO04mABP5z9B24vxXO
6ceDxWtzFOakHDa77qqw1Y29vi%2F%2FExs2DXgw%7E%7E
https://webdev2003sec/producers/default.asp webdev2003sec 302 0 0 600 789 15
2004-01-05 17:52:27 W3SVC1355964318 WEBDEV2003 192.168.120.11 GET
/formslogin.asp
/producers/messages/MailListUser.asp?Role=ProducerLastAccess:1/5/2004+12:52:
25+PM 443 seanagent 192.168.120.1 HTTP/1.1
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1)
SaneID=192.168.120.1-9550143590845;+CCISESSION=USERNAME=seanagent&CT=Produce
rs&DATA=qWJZRb6dgpHaw07AOqA3awdrrX9THnT4iKMBSIXqSMwYvO04mABP5z9B24vxXO6ceDxW
tzFOakHDa77qqw1Y29vi%2F%2FExs2DXgw%7E%7E
https://webdev2003sec/producers/default.asp webdev2003sec 200 0 0 25792 647
46
2004-01-05 17:52:30 W3SVC1355964318 WEBDEV2003 192.168.120.11 GET
/producers/messages/MailListUser.asp
Role=producerLastAccess:1/5/2004+12:52:27+PM 443 seanagent 192.168.120.1
HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1)
SaneID=192.168.120.1-9550143590845;+CCISESSION=USERNAME=seanagent&CT=Produce
rs&DATA=qWJZRb6dgpHaw07AOqA3awVrrX9THnT4iKMBSIXqSMwYvO04mABP5z9B24vxXO6ceDxW
tzFOakHDa77qqw1Y29vi%2F%2FExs2DXgw%7E%7E
https://webdev2003sec/formslogin.asp?/producers/messages/MailListUser.asp?Role=Producer
webdev2003sec 200 0 0 27289 675 78

Any thoughts?

"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:OAMJcZB1DHA.4032@tk2msftngp13.phx.gbl...
> Are all the ASP pages/directories using the same session cookie? It
sounds
> like they are not, so while you expired one of them, you didn't expire the
> other.
>
> --
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> "SECOVEL" <secovel at yahoo dot com> wrote in message
> news:ON0IMD90DHA.3656@TK2MSFTNGP11.phx.gbl...
> I'm running IIS 6 on Windows 2003 Server. I have an ASP app that issues
> cookies for authentication. After a user logs out, waits awhile (about 3
> min) and logs back in, 1 particular page (xxx.asp) is still using the old
> (deleted!) cookie. I have a "Last Accessed" field in the cookie, and I
can
> see the new cookie (fom logging in) in the IIS Logs for some pages, and
then
> when I go to xxx.asp, I see the old "last accessed" value. If I hit
> refresh, it then updates the page, and I see the new cookie value. The
> cookie is not persistant, and has security = true. The connection HTTPS.
>
> xxx.asp is in a virtual directory. The path is like this:
>
> Adir
> Bdir
> Cdir/Adir/xxx.asp
> Ddir
>
> All the directories (including the virtual) seem to have the same
settings.
> I've tried adding code to xxx.asp to stop the caching:
>
> Response.CacheControl = "no-cache"
> Response.Expires = -1
>
> HELP!
>
> Sean
>
>
>



Relevant Pages

  • Re: Creating "remember me" functionality
    ... the session data is erased. ... When someone logs into your website, you need to use setcookie on the next ... This makes it a set size charfor a database. ... $_Cookie for the required fields. ...
    (alt.php)
  • Re: Need advice, leftover fudge
    ... day of just the two of us, she brought me three 12"x1.5" logs of the ... To use up the too creamy fudge as well as the leftover crushed nuts, ... depress the cookie tops to put on a half to 3/4 teaspoon dollup of the ...
    (rec.food.cooking)
  • Cross-domain cookie synchronisation
    ... I have an authentication system which, at login and performed using ... The cookie expires either at midnight or - as it's a session ... webapps within the same domain, as all webapps can see the domain ... John now logs into Site 1 from the same ...
    (comp.lang.java.programmer)
  • UserConcurrency
    ... I increment the count field in my database ... If the user refreshes his browser, ... logs in, I create the cookie. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Yo Eisbock
    ... It collects information as to the number of hits, where the viewers are linking from, the type of browser used and the screen resolution of the majority of viewers. ... This info is available in a site management utility that can be used to optimize how you design your website. ... I also can't find any information on a cookie called "BX". ...
    (rec.boats)