Thursday, March 03, 2005

Be careful about server names (avoid underscores)

Helping out an old friend and former co-worker, we ran into an issue where he was unable to save anything in session state between requests in ASP.NET.

Well, we eventually figured out the issue - his server had an underscore in the name....;EN-US;316112

PRB: Session Variables Do Not Persist Between Requests After You Install Internet Explorer Security Patch MS01-055


After you install security patch MS01-055 for Microsoft Internet Explorer 5.5 or 6.0, you may encounter the following problems:
Session variables are lost.
Session state is not maintained between requests.
Cookies are not set on the client system.
Note These problems can also occur after you install a more recent patch that includes the fix that is provided in security patch MS01-055.


Security patch MS01-055 prevents servers with improper name syntax from setting cookies names. Domains that use cookies must use only alphanumeric characters ("-" or ".") in the domain name and the server name. Internet Explorer blocks cookies from a server if the server name contains other characters, such as an underscore character ("_").

Because ASP session state and session variables rely on cookies to function, ASP cannot maintain session state between requests if cookies cannot be set on the client.

This issue can also be caused by an incorrect name syntax in a host header.
I guess you do learn something new everyday.
This took a long time to figure out. It wasn't until he noticed that using numeric IP's worked that he found this article.
He installed the 1.0 .NET framework on the Windows 2003 Server, so I assumed it was related to that. But the issue occurred under both the 1.0 and 1.1 runtime.

For now, he is going to use cookieless=true session state to get around this issue until the servername can be changed.

No comments: