Random loss of sessions in ASP.NET
We recently had a problem with our website where people would call us up and say that their shopping cart kept on randomly emptying itself as they were just about to buy something. We couldn’t replicate this problem on our computers, so assumed it might be their firewall or anti-virus software cycling through and periodically deleting our cookies.
The other day I realised that our site was setting a separate cookie for each product page a user viewed. This seemed odd, so I investigated further and found out that there is a hard-coded limit in Internet Explorer that sets a maximum number of cookies from any one domain at 20. Thus by trying to add 20 distinct products into my shopping basket I finally managed to replicate the problem.
All internet browsers appear to have a hard-coded limit - according to Wikipedia:
Relevant count of maximum stored cookies for the major browsers are
Firefox 1.5: 50
Firefox 2.0: 50
Opera 9: 30
Internet Explorer 6: 20
Internet Explorer 7: 20
These restrictions are based on RFC 2109, which recommends “at least 20 cookies per unique host or domain name”, and also recommends “cookie support should have no fixed limits”. From this perspective even Firefox’s limit seems restrictive, let alone Internet Explorer’s.
Anyway, clearly setting a cookie for each individual product page is clearly not the best way to handle things. However, I think this is a symptom of a lack of joined-up thinking from the Microsoft Corporation. To quote from a Microsoft KnowledgeBase article:
“If a Web application uses more than 19 custom cookies, ASP session state may be lost. Internet Explorer 4.0 and later versions allow a total of 20 cookies for each domain. Because ASPSessionID is a cookie, if you use 20 or more custom cookies, the browser is forced to discard the ASPSessionID cookie and lose the session.” source
I may well be wrong in assuming this, but surely only one or two ASPSessionID cookies will be set by any one domain at any one time. If this is indeed the case, surely the Microsoft ASP developers would be able to communicate with the IE developers in the same company and ensure that the session state cookie had priority over other cookies when it comes to automatic deletion of cookies beyond the user’s control or knowledge.
The RFC mentioned above states that applications “should cope gracefully with the loss of a cookie” - Internet Explorer’s automatic deletion does not seem to comply with this as far as I can see.
Another example I spotted today of this lack of simple communication/thought processes was a post on the Internet Explorer blog.
It talks about how to configure permissions in IE7 and Vista to not prompt you every time you view a page’s source code. It also states that allowing full access from IE7 to Notepad is a security risk.
Simple answer? Build a cut down version of Notepad into IE! Firefox has its own HTML viewer - why can’t IE?
—
Update: Microsoft have updated cookie handling for IE7 so now it will accept 50 cookies per domain.
