ASP.NET 4 fails to set cookies for IE10… because it thinks it’s IE-1 ! (But there’s a hotfix)

We were seeing something odd when testers would browse to certain test servers using IE10.  The user would log in, but then a redirect would fail to happen, and the user would get kicked back to the login screen.
I tested it using IE10 on a Windows 8 virtual machine, and also tried it on my Win 7 dev machine with the IE10 preview.  Both failed in the same way.
I looked at the web traffic on the client side using Fiddler.  (What a great program!  But I just noticed, via a message that appears in the upgraded Fiddler, that they have “joined the Telerik family”.  Interesting.  They say they’re going to keep it free… fingers crossed that remains true!)
Anyway I tried hitting the test site with IE10, and then I tried it with Chrome on Windows 8; then I also tried IE 8, running on my Win 7 dev machine.  Here’s what I saw when I looked at the “Raw” view for the 302 redirect event.  The problematic string is shown in red.  It seemed to be stuffing some long encrypted string in front of the redirect URL.
IE10:
HTTP/1.1 302 Found
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Location: /(F(kxQ3Uf_87HS8e2KvJfipg5YpF8JFVG_vsAxGsIUUfvbIUfO2RkMTP7CmV_trwq5MY82TAW0sAcH5QsrNQJq7p_jpw-6_hGf1O99FzJlleWc1))/PassiveTokenServiceHandler.ashx?wtrealm=http://ourclientweb.ourclientst1.local:8882/default.aspx&realmkey=OurClientRealm
Server: Microsoft-IIS/7.0
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Wed, 14 Nov 2012 09:42:10 GMT
Content-Length: 356
IE8 on Windows 7:
HTTP/1.1 302 Found
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Location: /PassiveTokenServiceHandler.ashx?wtrealm=http://ourclientweb.ourclientst1.local:8882/default.aspx&realmkey=OurClientRealm
Server: Microsoft-IIS/7.0
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
Set-Cookie: Form_Login=145038F0A77F3C43361B30B984054913A627A7EA3AB8AA24D54F091AB7FC71ECD069AE685B32A0E1A8943F518B97974EE1D4FE2BAEBD8071A6564B6E34B179EEEE29A85F954CA3A47586782FE4A79A4D; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 14 Nov 2012 10:46:00 GMT
Content-Length: 240
Chrome on Windows 8 (desktop):



HTTP/1.1 302 Found
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Location: /PassiveTokenServiceHandler.ashx?wtrealm=http://ourclientweb.ourclientst1.local:8882/default.aspx&realmkey=OurClientRealm
Server: Microsoft-IIS/7.0
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
Set-Cookie: Form_Login=CE02CF980D5FBE5601C57C420BE71FD03205758EE5FF2736D1DAE201A736C18B02AE52AA6EE02AB5F28670406DF981AEA230A5AABE5BA9B7006F211F5FF43B4B412EF69100F0ECE1FD9AFF05A6A6837A; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 14 Nov 2012 09:55:10 GMT
Content-Length: 240


Notice any difference, besides the fact that the Location value has the garbage string stuffed into it?  Turns out the “Set-Cookie” isn’t there.  We found this post on Stack Overflow, which looked a lot like our problem; also this post on Stack Overflow and ultimately this MS blog post.

The bottom line is, if your site is using user agent sniffing, then it will think that your IE10 client is IE1!  Notice from this Wikipedia history of Internet Explorer that cookie support didn’t come in until IE2.  That explains why in the Fiddler data above, there’s no “Set-Cookie”.

We installed the hotfix on our test servers, re-booted, and the problem went away.  You can find the hotfix here.

Reminds me somehow of the Y2K bugOpen-mouthed smile

Comments

Post a Comment

Popular posts from this blog

Parsing MSTEST results (.trx files) programmatically (in C#)

  Hello, it’s been quite awhile since I’ve posted anything; I’ve been quite busy.  I just felt like sharing this.  This is an extension of other people’s ideas, but I’ve taken it slightly further and thought it might be useful to somebody. I came across a situation where I needed to programmatically examine a .trx file for specific strings.  The .trx file was large (31MB) because it contained the output of around 5000 unit tests.  Around 800 of those tests were failed tests, and they were failing for a specific reason (which is not important now).  The point is, I wanted to programmatically examine the error messages that were being output, and do something (which is also not important now), based on certain strings that might be found in the error message of each failed test. Searching led me to this post in Rasheed’s blog , which was a great starting point for what I wanted to do.  As described in that post, first I had to: Use XSD.EXE (see MSDN here ) to generate classes bas
Read more

The description for Event ID ( 3 ) in Source ( TFSShellExt ) cannot be found.

So I’ve been on a few projects for my employer Hitachi Consulting UK .  For one of them, the client was maintaining the TFS server.  At some point I finished my work on that project and moved on to other projects.  But for some reason I couldn’t get rid of the reference to the TFS server.  Visual Studio kept trying to connect to it when I would launch Visual Studio 2010, and it was failing to connect because I was no longer authorized to hit that URL, because I’m no longer on the project.  This would lead to errors in the Windows Application log that looked like the one described in this post . I tried to clear the cache (by deleting the cache folder) as described in the aforementioned post, and also here .  But every time I tried to delete it the cache folder kept coming back.  It seems to have something to do with TFS Power Tools. In the end what solved it for me was deleting the Cache folder, running Task Manager, killing the two processes “TfsComProviderSvr.exe”, then re-bootin
Read more

Request.Browser.IsMobileDevice

It's known that the .Net framework's "Request.Browser.IsMobileDevice" is not entirely reliable in all cases as evidenced by the fact that our MVC2 site wasn't correctly detecting Android as a mobile, and as evidenced by some hits you can see in this search: http://www.bing.com/search?q=request.browser.ismobiledevice&src=IE-SearchBox&FORM=IE8SRC If we really want reliable mobile detection we need to incorporate the WURFL database (a giant XML file of every mobile device - see http://wurfl.sourceforge.net/ ) and from what I’ve seen, the preferred implementation of this for .Net appears to be “51degrees.mobi” … http://51degrees.codeplex.com/ On the MVC2 project I’ve been working on recently, I was using 51degrees.mobi in development; it seemed very effective, and you can do incredibly granular detection with it, but was a bit heavyweight for my particular project, the requirements of which were (in the case of mobile detection) simply to detect wheth
Read more