简体繁体 English

为什么IE / Fiddler会看到与Chrome和FF / Live HTTP标头不同的cookie设置/删除？

[英]Why would IE/Fiddler see different cookie setting/deletion from Chrome and FF/Live HTTP Headers?

原文 2009-07-01 20:58:18 1 3 php/ internet-explorer/ session/ cookies/ fiddler

I have a partly inherited web application in PHP and after poking around with Fiddler I have a little more data than before. 我在PHP中有一个部分继承的Web应用程序，在与Fiddler闲逛之后，我的数据比以前多了一些。 The problem I'm trying to solve is unwanted logouts on IE6/8 but not FF/Chrome. 我要解决的问题是IE6 / 8上的有害注销，而不是FF / Chrome。 If a user clicks between different pages, the login data cookies vanish. 如果用户在不同页面之间单击，则登录数据cookie消失。

The behavior is different in FF vs. IE, and the reported information is different in almost exactly the same way between Fiddler(/IE) and Live HTTP Headers(/FF). FF与IE的行为不同，并且Fiddler（/ IE）和Live HTTP Headers（/ FF）之间报告的信息几乎完全相同。

In Firefox the cookies appear to be treated like the PHP specifies: they are created when the user logs in and checks "Remember me", and they are only deleted if the user visits the logout page, and they have a two week expiration date. 在Firefox中，这些cookie似乎像PHP所指定的那样被对待：它们是在用户登录并选中“记住我”时创建的，并且仅当用户访问注销页面时才被删除，并且它们的有效期为两周。 Live HTTP Headers report nothing different: the cookies are never reported as being changed or deleted when the user clicks between pages. 实时HTTP标头报告没有什么不同：当用户在页面之间单击时，永远不会将cookie报告为已更改或删除。

But with IE, they disappear when the user clicks between different pages, and Fiddler reports, 但是使用IE时，当用户在不同页面之间单击时，它们消失了，Fiddler报告了，

Cookies / Login
    Set-Cookie: *******=deleted; expires=Sun, 29-Jun-2008 21:07:46 GMT; path=; domain=.********.com
    Set-Cookie: *******=deleted; expires=Sun, 29-Jun-2008 21:07:46 GMT; path=; domain=.********.com

('deleted' is literally quoted from Fiddler's output. I do not have any place in my code where either value is set to a magic string of 'deleted'.) （从Fiddler的输出中引用了'deleted'。在我的代码中没有任何地方可以将任何一个值设置为'deleted'的魔术字符串。）

Not only do IE and Firefox have different interpretations of how the site is saying but Fiddler and HTTP Live Headers report correspondingly different versions of what the site does. IE和Firefox不仅对网站的说法有不同的解释，而且Fiddler和HTTP Live Headers报告的网站版本也相应不同。

Is there something special about IE and 'deleted'? IE和“已删除”有什么特别之处吗？ This may sound strange, but does IE want cookies to be re-enabled with each page view or something like that? 这听起来可能很奇怪，但是IE是否希望在每次页面浏览或类似操作时重新启用Cookie？

And how can I appease IE to bless the cookies in question as not deleted by the server unless the user requests it by visiting the logout URL? 以及，除非用户通过访问注销URL进行请求，我如何才能使IE保佑问题cookie被服务器删除而不被服务器删除？

3 个解决方案

What I eventually found was as follows: Firefox and IE were behaving differently because they were treating caching differently when a missing document was within the 14 day Expires: headers that had been set. 我最终发现如下：Firefox和IE的行为有所不同，因为在14天的Expires：标头中设置丢失的文档时，它们对缓存的处理不同。

Firefox was apparently checking once for missing data, and then not requesting it again. Firefox显然曾经检查过一次丢失的数据，然后不再请求它。

IE, on the other hand, kept on checking for an item a stylesheet gave the wrong path for, got 404 pages, and the custom 404 page did a boilerplate invitation to log in that triggered the user being logged out (perhaps not the best boilerplate). IE则继续检查样式表给出错误路径的项目，得到404页，而自定义404页做了样板邀请登录，触发了用户注销（也许不是最好的样板））。 I guess the stylesheet was cached, but IE kept on asking for items that were missing. 我猜样式表已缓存，但是IE一直在询问缺少的项目。

So it was caching differences plus indirect inclusion plus 404 page behavior. 因此它是缓存差异加间接包含加404页面行为。

I still don't know what "deleted" came from. 我仍然不知道“删除”来自何处。 (Does PHP supply the word "deleted" if you set a cookie string to an empty value?) （如果将cookie字符串设置为空值，PHP是否提供单词“ deleted”？）

IE won't set a cookie if the host has an underscore in it, but that's not the problem here. 如果主机中有下划线，则IE不会设置cookie，但这不是这里的问题。

Fiddler doesn't "invent" anything-- if it says that it got a HTTP header setting the cookie to the value "deleted", that means that the server literally sent that. Fiddler不会“发明”任何东西-如果它说它得到一个HTTP标头，将cookie设置为值“ deleted”，则意味着服务器从字面上发送了该信息。

You might want to take a look at whether or not you have any errant requests going out on the wire that are causing the server to delete the cookies. 您可能想看看您是否有任何错误请求正在发送，这些错误请求导致服务器删除cookie。 For instance, in another thread, someone noted that an IMG tag with a source of "" (empty string) would cause IE to send a request for the root of the site, and their homepage deleted the login cookies if visited. 例如，在另一个线程中，有人指出，源为“”（空字符串）的IMG标签将导致IE发送对网站根目录的请求，如果访问，则其主页将删除登录cookie。

IE6/7/8 currently have a limit of 50 cookies per host, but that's not what you're hitting here either. IE6 / 7/8当前每个主机限制为50个cookie，但这也不是您在此处遇到的问题。

Does the URL of the page in question have an underscore in it? 相关网页的网址中是否包含下划线？ I recall IE having problems with cookies from domainnames which don't follow the domain name specification ( RFC 1035 check section 2.3.1). 我记得IE在不符合域名规范（ RFC 1035检查第2.3.1节）的域名中存在Cookie的问题。

Also there are (where?) some limitation in IE regarding to cookie size and number of cookies per domain. 在IE中，关于cookie大小和每个域的cookie数量也有一些限制。 In IE6 I believe the limitation was maximum size of all cookies per domain 4095 bytes and 20 cookies per domain. 我相信在IE6中，限制是每个域4095字节的所有cookie和每个域20个cookie的最大大小。

The problem might also arise if you use header based redirection where IE could loose track of the cookie. 如果您使用IE可能会丢失cookie的基于标头的重定向，也可能会出现问题。

Btw. 顺便说一句。 the date you provided in the two Set-Cookie directives are they from an old log or does the server really set a cookie with a expire date in the past (which is the usual way to say.. "hey browser delete this cookie as it already expired days ago") 您在两个Set-Cookie指令中提供的日期是从旧日志中获取的，还是服务器确实设置了具有过去过期日期的cookie（这通常是这样说的。“嘿，浏览器会删除该cookie，因为它天前已经过期”）