DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 316112 - Last Review: July 28, 2005 - Revision: 5.2

This article was previously published under Q316112

SYMPTOMS

After you install security patch MS01-055 for Microsoft Internet Explorer 5.5 or 6.0, you may encounter the following problems:
  • Session variables are lost.
  • Session state is not maintained between requests.
  • Cookies are not set on the client system.
Note These problems can also occur after you install a more recent patch that includes the fix that is provided in security patch MS01-055.

CAUSE

Security patch MS01-055 prevents servers with improper name syntax from setting cookies names. Domains that use cookies must use only alphanumeric characters ("-" or ".") in the domain name and the server name. Internet Explorer blocks cookies from a server if the server name contains other characters, such as an underscore character ("_").

Because ASP session state and session variables rely on cookies to function, ASP cannot maintain session state between requests if cookies cannot be set on the client.

This issue can also be caused by an incorrect name syntax in a host header.

RESOLUTION

To work around this problem, use one of the following methods:
  • Rename the domain name and the server name, and use only alphanumeric characters.
  • Browse to the server by using the Internet Protocol (IP) address rather than the domain/server name.
Note You may need to change the Microsoft Internet Information Server (IIS) configuration after you rename a server. For more information, refer to the "References" section.

STATUS

This behavior is by design.

MORE INFORMATION

A potential security vulnerability exists in Internet Explorer versions 5.5 and 6.0 in which a malicious user could create a URL that allows a Web site to gain unauthorized access to cookies that are stored on a client computer and then (potentially) modify the values that are contained in these cookies. Because some Web sites use cookies that are stored on client computers to store sensitive information, this security vulnerability could expose personal information.

Security patch MS01-055 corrects this security vulnerability by preventing servers with improper name syntax from setting cookies names. This patch requires that server names follow the naming conventions that are specified in Appendix 1 of Request for Comments (RFC) 833 "DOMAIN NAMES - IMPLEMENTATION and SPECIFICATION." For more information, refer to the "References" section.

REFERENCES

For additional information about security patch MS01-055, click the following article number to view the article in the Microsoft Knowledge Base:
312461  (http://support.microsoft.com/kb/312461/ ) MS01-055: Internet Explorer cookie data can be exposed or altered through script injection
For additional information about IIS configuration changes that may be necessary after you rename the server, click the following article number to view the article in the Microsoft Knowledge Base:
234142  (http://support.microsoft.com/kb/234142/ ) Updating IIS after you change the computer name
For more information about the RFC 883 specifications, refer to the following Internet Engineering Task Force Web site:
http://www.ietf.org/rfc/rfc883.txt?number=883 (http://www.ietf.org/rfc/rfc883.txt?number=883)

APPLIES TO
  • Microsoft Active Server Pages 4.0
  • Microsoft Internet Explorer 6.0
  • Microsoft Internet Explorer 5.5
  • Microsoft Internet Information Services 6.0
  • Microsoft Internet Information Services version 5.1
Keywords: 
kbcookie kbaspobj kbprb kbsecbulletin kbsecurity kbwebserver KB316112
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support