#8 ✓resolved
Austin France

Cookies not being set when Location: redirect is used

Reported by Austin France | July 10th, 2009 @ 05:37 PM

I have an IIS web application I am using ASIHTTPRequest to access. It loads a page which tries to authenticate. It does this by setting a session variable then redirecting to a login page. The login page however is being run in a separate session from that of the initial page, and so does not see the session variable.

Example ASP code (test.asp):

<%@language="VBScript"%><%
    Session("Test") = "Test"
    Response.Redirect "result.asp"
%>

(result.asp)

<%@language="VBScript"%>
    <p>Test = [<%=Session("Test")%>]</p>
%>

Trace of the HTTP requests:

GET test.asp HTTP/1.1
Host: infodemo.internal.redskyit.com
User-Agent: Redsky%20Client/1.0 CFNetwork/445.6 Darwin/9.7.0
Accept-Encoding: gzip
Connection: close

HTTP/1.1 302 Object moved
Server: Microsoft-IIS/5.1
Date: Fri, 10 Jul 2009 16:29:34 GMT
Connection: close
Location: result.asp
Content-Length: 121
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQAQQTQQR=PPHFPNMAFINOINAMGIADNGIE; path=/
Cache-control: private

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="">here</a>.</body>

GET result.asp HTTP/1.1
Host: infodemo.internal.redskyit.com
User-Agent: Redsky%20Client/1.0 CFNetwork/445.6 Darwin/9.7.0
Accept-Encoding: gzip
Connection: close

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.1
Date: Fri, 10 Jul 2009 16:29:34 GMT
Connection: close
Content-Length: 22
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQAQQTQQR=AAIFPNMAONCPPBDFFIMMKFBC; path=/
Cache-control: private

    <p>Test = []</p>

The trace shows that along with the response to the 301 object moved the session cookie is set. However this appears to have been ignore, and the subsequent request does not include the session cookie, so the redirected request generates a new session and sets a new session cookie. The result is that the redirected page cannot see the session of the first page.

Not sure if this is a CFNetwork issue or an ASIHTTPRequest issue as I don't know which is handling the redirect.

Comments and changes to this ticket

  • Ben Copsey

    Ben Copsey July 13th, 2009 @ 09:40 AM

    Hi Austin

    30x redirects are currently handled automatically by CFNetwork (using kCFStreamPropertyHTTPShouldAutoredirect), but it looks like it's re-using the old headers.

    I'll experiment to see if I can get it to update the headers, otherwise I'll need to handle redirection manually. :(

  • Austin France

    Austin France July 13th, 2009 @ 11:15 AM

    Hi Ben

    Thanks for the update and any efforts to resolve. I do have a couple of workarounds I can use so it's not a major issue for me (at least I don't think it is at this point). I will post here incase anyone finds them useful.

    This issue only arises when this initial page (which starts a session) does a redirect, once the session cookie has been set, it can redirect all it wants.

    My initial workaround has been to pass the redirect URL as part of the query string of my redirect, so equivalent to rewriting the test case above

    <%@language="VBScript"%><%
        Response.Redirect "result.asp?Test=Test"
    %>
    

    Result.asp:

    <%@language="VBScript"%>

    &lt;p&gt;Test = [&lt;%=Request.QueryString(&quot;Test&quot;)%&gt;]&lt;/p&gt;
    
    
    
    
    %>

    Another option for me would be to get my client to handle the initial redirect, something akin to

    <%@language="VBScript"%><%
        Session("logon_redirect") = Request.ServerVariables("SCRIPT_NAME")
        %><Redirect>result.asp</Redirect><%
    %>
    

    Result.asp:

    <%@language="VBScript"%>

    &lt;p&gt;Test = [&lt;%=Session(&quot;Test&quot;)%&gt;]&lt;/p&gt;
    
    
    
    
    %>
  • Austin France

    Austin France July 13th, 2009 @ 11:18 AM

    Sorry, that last example should be:

    <%@language="VBScript"%><%
        Session("Test") = "Test"
        %><Redirect>result.asp</Redirect><%
    %>
    

    Result.asp:

    <%@language="VBScript"%>

    &lt;p&gt;Test = [&lt;%=Session(&quot;Test&quot;)%&gt;]&lt;/p&gt;
    
    
    
    
    %>
  • Ben Copsey

    Ben Copsey July 13th, 2009 @ 12:19 PM

    Hi Austin

    There's a new version on GitHub that handles 30x redirection in the class rather than letting CFNetwork do it, this should apply the cookies from the initial response to the second (redirected) request. I'd be grateful if you could give it a try and let me know if it works for you.

    I guess this will generally only ever be a problem if you don't have a session cookie already, but I'd imagine a lot of apps using session-based authentication will authenticate in their very first request, so this change is certainly worthwhile.

    Thanks for pointing this out!

    Ben

  • Austin France

    Austin France July 13th, 2009 @ 02:06 PM

    Thanks Ben

    I have built the latest version into my client and swithed back to using session cookies to communicate across the initial redirect and I am pleased to report it is now working perfectly.

    Thank you very much for the speedy fix.

  • Ben Copsey

    Ben Copsey July 13th, 2009 @ 02:12 PM

    • State changed from “new” to “resolved”

    Awesome. Thanks again!

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Easy to use CFNetwork wrapper for HTTP requests, Objective-C, Mac OS X and iPhone

People watching this ticket

Referenced by

Pages