Troubleshooting Cookies - A Case Study

A few days ago, one of my colleagues asked a very simple question... "Do we have any document which talks about Cookies from the troubleshooting perspective in general?". I was pretty amused for some reason and I thought okay, let me give you a detailed answer... Then I thought, okay... may be I should blog it in detail and here I am, doing just that.

Before we go any further into troubleshooting the cookies we need to know exactly what they are and how they work. Once you know how things work *exactly*, you will be able to find out any anomaly pretty easily!

Let me start from the beginning... Once upon a time not very long ago, there was an RFC :o) RFC2109 which talked about HTTP State Management Mechanism. Eventually it got obsoleted by RFC2965. Another RFC which talks about best current practices is at RFC2964. They spoke about the Cookies and using them for State Management, so I am not gonna read those stories for you. Not that I don't like it... but they are a bit too long and yes... they could be quite boring (depending on your taste)!

Let me see if I am able to jazz it up with some tools and other tidbits. In my view, doing a few practical exercises helps a lot in remembering the concepts. So, begin with installing Fiddler on your box from https://www.fiddlertool.com/fiddler/. I am gonna use it pretty extensively going forward! Feel free to comment if you think this blog entry was too long and just wasted your time.

Exercise 1:
1. Create a page called CookieTest.asp in C:\Inetpub\wwwroot\
2. Open CookieTest.asp in Notepad and add the following line... 

<% =Now() %>

3. Open an IE browser. Select Tool -> Fiddler to start Fiddler.
4. On the Top-Right hand side, you will see a tab called "Request Builder".
5. Type https://localhost/CookieTest.asp in the address bar and click on the Execute button.
6. In the left pane you will see an entry appears with Host column as localhost and URL as /CookieTest.asp. Double click on that entry.
7. Now in the middle right hand side pane, you will see Headers.
8. Check out what is written in Cookies/Login. If you haven't changed any default settings, you should see something like...

Set-Cookie: ASPSESSIONIDSCBCTCAS=COCDMHCAJCFOACMDNLPILFKB; path=/

9. Repeat Steps 5 - 9 a few times and you will that each time that header information changes...

Set-Cookie: ASPSESSIONIDSCBCTCAS=EOCDMHCACFBMJOPONIHNBNKK; path=/

Question 1: Think about this... why did this cookie came into picture in the first place??? As you saw, we haven't done ANYTHING in our code except printing the time!
Answer: ASP Requires Session State to Maintain Static Cookies

<Extract>  
ASP sends a different ASPSessionID cookie (scoped to the application, which is the virtual directory for the requested .asp file) for each and every .asp file that is requested until Session state is triggered. Session state is triggered once something is stored in a Session variable (a scalar variable or an object instance), or the Session_OnStart event is fired in the application's Global.asa file, the SessionID is fixed for that user until the Session times out or is abandoned.
</Extract>  

Question 2: It is not recommended to turn off ASP session state, but if your application doesn't use Sessions AT ALL... why have it and hamper performance! So, how can you turn Off ASP Session State in Active Server Pages and IIS?
Answer: Turn Off ASP Session State in Active Server Pages and IIS
Exercise 2:
1. Click Start, point to Programs, click Administrative Tools, and then click Internet Information Services.
2. Right-click your Web site, and then click Properties
3. Click the Home Directory tab.
4. Click Configuration, and then click the Options tab.
5. Click to clear the Enable Session State check box. 
6. Repeat 3-8 from Exercise 1 and verify if you can see the ASPSessionID anymore! Ideally, you shouldn't.

Question 3: I am using https://localhost/CookieTest.asp from IE and Fiddler doesn't seem to catch my requests, what's wrong?
Exercise 3:
1. Open IE and start Fiddler.
2. Type in https://localhost/CookieTest.asp and hit enter. Switch to Fiddler and you will find that the requests are not reaching. But since you are getting the output, that is not the truth. So, what went wrong?? Well, honestly speaking I don't know the root cause, since I don't have access to Fiddler's code. I don't know why it doesn't catches the https://localhost/ even though it is Proxy based tool. Good news is that, there is a workaround.
3. Open Windows Explorer and navigate to C:\<WINDOWS>\system32\drivers\etc
4. Open hosts file in Notepad and add another line like...

127.0.0.1       https://www.localsite.com/

5. Save the host file and go back to the IE window
6. Try https://www.localhost.com/CookieTest.asp. Not only will you see the output in the browser, you will also find that Fiddler is able to catch it.
7. The good thing to this approach is that now, you can use IE as usual to debug your website and see the output at the same time in Fiddler. Also, you don't have to BUILD your requests each time. Just browse as usual and switch to Fiddler to analyze.

Question 4: How to create cookies and view them? 
Exercise 4:
1. Open the CookieTest.asp file once again and modify the code to look like the following and save it.

<%
Response.Write(Now() & "<BR>")
Response.Cookies("Cool")="My First Cookie!"
%>

2. For clarity you can select Edit->Remove->All Sessions in Fiddler to clear the history.
3. Open IE and browse to https://www.localhost.com/CookieTest.asp with Fiddler running.
4. Switch to Fiddler and select the entry with https://www.localhost.com/ by double-clicking it.
5. Now in the middle right hand side pane, you will see Headers.
6. You will find the following...

Set-Cookie: Cool=My+First+Cookie%21; path=/
Set-Cookie: ASPSESSIONIDCSSDABRB=FBCJOAKBFODEBMLACHEAEKCC; path=/

Question 5: Can I create multiple cookies and view them all in Fiddler?
Answer: Yes
Exercise 5:
1. Open the CookieTest.asp file and modify the code to look like the following and save it.

<%
Response.Write(Now() & "<BR>")
Response.Cookies("Cool")="My First Cookie!"
Response.Cookies("Test1")="Test 1"
Response.Cookies("Test2")="Test 2"
%>

2. Repeat step 2-6 from Exercise 4 and you should be able to see the following...

Set-Cookie: Test2=Test+2; path=/
Set-Cookie: Test1=Test+1; path=/
Set-Cookie: Cool=My+First+Cookie%21; path=/ 
Set-Cookie: ASPSESSIONIDCSSDABRB=FBCJOAKBFODEBMLACHEAEKCC; path=/

NOTE:

You can create Cookie Keys as well.

Response.Cookies("Cool")("Key1")="My First Cookie Key!"
Response.Cookies("Cool")("Key2")="Checking"

ALSO, if you have Keys defined with any cookies, you can't store general data in the cookie at the same time... I mean...

Response.Cookies("Cool")("Key1")="My First Cookie Key!"
Response.Cookies("Cool")("Key2")="Checking"
Response.Cookies("Cool")="Will this work?"

Fiddler will show you something like this (which means that the text "Will this work?" is gone forever)...

Set-Cookie: Cool=Key1=My+First+Cookie+Key%21&Key2=Checking; path=/

I just noticed that if you use Win2k3 for this test, your may see "Will this work?". So, ensure that you don't use Cookie keys and cookies at the same time to store data. One of it will be lost!

Question 6: Can we lose ASP Session because of any cookie limits?
Exercise 6: YES, 306070

<Extract>
If a Web application uses more than 19 custom cookies, ASP session state may be lost. Internet Explorer 4.0 and later versions allow a total of 20 cookies for each domain. Because ASPSessionID is a cookie, if you use 20 or more custom cookies, the browser is forced to discard the ASPSessionID cookie and lose the session.
</Extract>

Question 7: Do we have any limits on the number or size of cookies that can be created in Internet Explorer?
Answer: YES, read the following KB Number and size limits of a cookie in Internet Explorer

Question 8: How do I analyze IIS Logs for cookie?
Answer: Pretty simple... you need to ensure that you have enabled Extended Logging.
1. Click Start, point to Programs, click Administrative Tools, and then click Internet Information Services.
2. Right-click your Web site, and then click Properties.
3. Go to the Web Site tab and ensure that "Enable Logging" is checked. Click Properties in that panel.
4. Click on Extended Properties tab.
5. Check Extended Properties and ensure Cookie is checked
6. Here is my IISLog on Windows XP Box... "C:\WINDOWS\system32\Logfiles\W3SVC1".
7. Here is how one my entries looked...

10:20:19 127.0.0.1 - W3SVC1 RAHULSONI 127.0.0.1 80 GET /CookieTest.asp - 200 0 356 421 31 HTTP/1.1 https://www.localhost.com/ Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) Test2=Test+2;+Test1=Test+1;+Cool=Key1=My+First+Cookie+Key%21&Key2=Checking;+ASPSESSIONIDASSDBBRB=OOELMDKBDECAFOGFBNEEHOOH -

8. Notice how you are able to see the Cookies seperated by a Semicolons. Say for example you are seeing a lot of cookies and you fear that you are losing sessions due to a lot of cookies (Refer Question 6), you can easily determine the number of cookies by counting the ";" in your IISLogs.

Question 9: You seem to lose each and every session on each and every Website/Virtual Folder no matter what you do. Is there anything that can be done? 
Answer: Mostly, it happens due to Disallowed Characters. We have seen "_" creating a lot of problems related to session. Refer 909264

Question 10:My regular cookies work fine, but Cookieless just doesn't. Is it a known issue?
Answer:Yes... it "may be". Check this anyways!

Question 11: Which are some of the documents by Microsoft that talks about Cookies?
Answer: Well, there are quite a few... but here is one of the links which is a kind of master link and points to several different and relevant articles... and a must read! Description of Cookies  

If you managed to read till here anyhow, and still want to continue try these... 

1. Basics of Cookies in ASP.NET - https://msdn.microsoft.com/library/default.asp?url=/library/en-us/dv_vstechart/html/vbtchaspnetcookies101.asp 
2. Understanding the Forms Authentication Ticket and Cookie - https://support.microsoft.com/kb/910443 
3. Do Cookies Compromise Security? - https://www.webopedia.com/DidYouKnow/Internet/2002/Cookies.asp 
4. Fiddler PowerToy - https://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwebgen/html/IE_IntroFiddler.asp 
5. Session State - https://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconSessionState.asp 

Cheers!
Rahul

kick it on DotNetKicks.com