Microsoft small business knowledge base

Article ID: 176113 - Last Review: July 3, 2008 - Revision: 5.0

This article was previously published under Q176113
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 7.0 running on Microsoft Windows Server 2008. IIS 7.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site: (
For more information about IIS 7.0, visit the following Microsoft Web site: (

On This Page


When a CGI application sends a Set-Cookie header with "302 Object Moved" response and Location header, Internet Information Server (IIS) ignores the cookie header.


This behavior is in violation of the CGI specification, which states, "Any headers that are not server directives are sent directly back to the client. Currently, this specification defines three server directives..."

As a workaround, make sure the file name of the EXE begins with "nph-" and manually create all HTTP headers in your program. "nph-" indicates to the server that the CGI program is to be run in non-parsed headers mode. CGI has two modes. In normal mode (parsed headers), you must send one of the CGI directives to standard output (Content-type, Location, or Status). CGI formats a valid HTTP response line based on the directive you sent. It formats other standard HTTP headers for you, and it should include any other headers that you have specified.

The other mode is non-parsed header mode. In this mode CGI does not set any headers itself. The CGI program must format a full HTTP response including the response line and all headers. The server will not add or modify any headers for you in this mode.

The convention is that a CGI program whose name begins with "nph-" is run in non-parsed header mode; otherwise, CGI programs are run in parsed header mode.


Microsoft has confirmed this to be a bug in the Microsoft products listed at the beginning of this article.


Steps to Reproduce Behavior

Compile this CGI program as a Win32 Console Application and place it in a folder on your IIS server where it can be executed:
#include <stdio.h>
int main()
  printf("Location: %s\r\n", "");
  printf("Set-Cookie: Name1=Value1; path=/;
    expires=Fri, 22 May 1998 21:00:00 GMT\r\n\r\n");
  return 0;

Call the CGI program from your browser and observe its output (via Network Monitor, for example). It will be similar to this:
HTTP/1.0 302 Object moved
Server: Microsoft-IIS/2.0
Content-Type: text/html
Content-Length: 145

<head><title>Document moved</title></head>
<body><h1>Object Moved</h1>This document may be found
<a HREF="">here</a></body>

Note that the Set-Cookie header has not been sent by IIS. If you have cookie warnings turned on in your browser, no warning appears.

To allow a cookie to be set in a 302 response, use code similar to the following, and prefix "nph-" to the name of the executable file:
#include <stdio.h>
int main()
  printf("HTTP/1.0 302 Redirect\r\n");
  printf("Location: %s\r\n", "");
  printf("Set-Cookie: Name=Value; path=/; expires=Fri, 22 May 1998 21:00:00
  return 0;

The output is similar to the following. Note that the cookie is now sent, and no headers are added by the server.
HTTP/1.0 302 Redirect
Set-Cookie: Name=Value; path=/; expires=Fri, 22 May 1998 21:00:00 GMT


(c) Microsoft Corporation 1997, All Rights Reserved. Contributions by Leon Braginski, Microsoft Corporation

  • Microsoft Internet Information Server 3.0
  • Microsoft Internet Information Server 4.0
  • Microsoft Internet Information Services 5.0
kbbug kbnofix KB176113
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support