HTTP Cookies Experts? Please look inside...

[smith288]

as do you

[John Robinson]

As do you...

And for everybody else,

I'm now setting both .freerepublic.com and www.freerepublic.com and people are still not expiring cookies. Hrumpf!

[Tony in Hawaii]

I'm using Mozilla 1.0, and it asked if I wanted to allow a new cookie when I logged on to FR this morning. I said yes, and everything seems fine.

[Sungirl]

BUMP.

[John Robinson]

Summary of findings.

Mr. Smith and I baked dozens of cookies yesterday. The MSIE 6.x were all tasty. Unfortunately, the Netscape 4.78 cookies left a bitter taste in our mouths.

Netscape cookies are required to contain at least two dots in the domain field, if a domain is given. The convention is to use, for example, .freerepublic.com (note the leading dot.) This works fine for http://www.freerepublic.com and http://beta.freerepublic.com. The problem url is http://freerepublic.com which contains just one dot. Netscape refuses to set a cookie, any cookie, for the single dot url if the cookie's domain field is set within the cookie. The double dot .freerepublic.com cookie domain field does not work, I assume, because .freerepublic.com is not a substring of freerepublic.com. Since Netscape refuses to set cookies with just a single dot in the cookie domain field, http://freerepublic.com will not work if the cookie domain is specified. However, it WILL work if the cookie domain field is not specific and allowed to default. Unfortunately, such cookies do not match the other variants of URLs (http://www.freerepublic.com nor http://beta.freerepublic.com)

Ergo, our finding, it's screwed.

The possible solutions are many. Smith and I discussed redirecting. Redirecting may have a snag, as the only HTTP request method eligible for redirection is GET (redirecting of POST is probably not well supported, and redirecting of HEAD will not have the desired effect--I don't think. However, it has been a long time since I've read the HTTP specs.) Though in reality, this may be inconsequential.

Another solution is to discontinue web serving on http://freerepublic.com as most web browsers will prepend www. to the URL if the www-less variant fails to connect to a web server. My only concern is of the thousands of www-less URLs that exist and the browsers and web spiders that will not hunt down the www version.

A final solution is to explicitly set a BASE HREF="http://www.freerepublic.com/etc" in all documents generated.

Though, these solutions only affect the one issue of not being able to use the generic .freerepublic.com (double dot) cookie domain. I still have other unresolved HTTP cookie issues, such as not being able to clear cookies, and getting requests with cookies that Free Republic never set (and being unable to unset them.)

[John Robinson]

On a side note, we discovered an MSIE 6 quirk when setting cookies with the security preferences sufficiently elevated, the cookie is set for only the one browser window which handled the request. This was discovered by opening two MSIE 6.x browser windows, A and B, to the same URL, baking a cookie in one window and checking for it in the other.

Smith determined that by lowering the browser's security preferences (to medium?) both windows would take the cookie. The odd behavior was due to our paranoid settings. We didn't investigate further, as the bitter taste of Netscape cookie was about to bite.

[John Robinson]

If Internet Explorer 6 users have difficulty with your website, it is because of IE6's new privacy feature which blocks cookies for websites without a P3P policy.
http://p3pedit.com/

I downloaded IBM's P3P editor to crank out a P3P. Wish me luck-- this stuff is ugly.

[smith288]

uh oh..haha.

Good luck my friend!

[Ernest_at_the_Beach]

Good luck John.

Could you put up a thread on your plans on the Bump List Register so we can have a dialogue on that.

I don't think the Keywords as currently implemented allows the ease of use facilities that the bump register allows.