FIX: ServerXMLHTTP Does Not Return Cookies Using NTLM Authentication (326847)


The information in this article applies to:

  • Microsoft Data Access Components 2.7 SP1
  • Microsoft XML 3.0 SP3
This article was previously published under Q326847

SYMPTOMS

You can use the ServerXMLHTTP object to retrieve and resubmit session cookies. You can retrieve the cookie from the Response header and resubmit the cookie through the Request Header. Everything works as you expect when you use the Anonymous authentication method. However, when you use the NTLM authentication method, and you resubmit the cookie, the cookie is lost.

RESOLUTION

To resolve this problem, use one of the following methods:
  • Method 1: Install MDAC 2.7 Service Pack 1 (SP1). This contains MSXML 3.0 SP3, which contains the fix. MDAC 2.7 SP1 is available for download at the following Microsoft Web site:

    MDAC 2.7 SP1

  • Method 2: Install MSXML 4.0 Parser. The MSXML 4.0 parser is available for download at the following Microsoft Web site:

    http://msdn.microsoft.com/xml

    To use MSXML 4.0 change your code from the following Prog ID:

    Msxml2.ServerXMLHTTP.3.0

    to the following Prog ID:

    Msxml2.ServerXMLHTTP.4.0

STATUS

Microsoft has confirmed that this is a bug in the ServerXMLHTTP component. It has been fixed in the latest release of MSXML 3.0 SP3, which is included with MDAC 2.7 SP1.

MORE INFORMATION

Steps to Reproduce the Behavior

  1. In Windows Explorer, create a folder that is named Test in the root folder of your Web server THe root folder is typically found in the following location: C:\Inetpub\Wwwroot\.
  2. In the left pane of Internet Information Services, right-click the Default Web Site, create a Virtual directory that is named Test, and then point this Virtual directory to the Test folder that you created earlier in the root folder of your Web server.
  3. Double-click the Default Web Site, right-click Test, and then click Properties.
  4. On the Directory Security tab, click Edit, and then click to clear the Anonymous access check box. Make sure that the Integrated Windows authentication check box is checked for NTLM authentication.
  5. Use notepad to create a file that is named Sender.asp, and to create a file that is named Receiver.asp, and then save these files to the Test folder that you created earlier.
  6. Paste the following segments of code in each file as follows: Sender.asp:
    <%
		dim sender
		dim cookie
		'Step 1: Get the Session Cookie
		set sender = server.CreateObject("Msxml2.ServerXMLHTTP.3.0")
		sender.open "GET", "http://localhost/test/receiver.asp?resubmit=false",false
		sender.send
		cookie = sender.getResponseHeader("Set-Cookie")
		
		sID = mid(cookie,instr(1,cookie,"=")+1,instr(1,cookie,";")-(instr(1,cookie,"=")+1))
		'Display the Session cookie information 
		Response.Write "Response Header Information From First Request: <br/><br/>"
		Response.Write "Response Header Cookie = " & cookie & "<br/>"
		Response.write "SessionID = " & sID & "<br/><br/>"
		Response.Write "Setting Request Header Cookie as: " & left(cookie,instr(1,cookie,";")-1) & "<br/>"
		Response.Write "<br/>"

		set sender = nothing
		'Step 2: re-submit the same Session cookie back
		set sender = server.CreateObject("Msxml2.ServerXMLHTTP.3.0")
		sender.open "POST", "http://localhost/test/receiver.asp?resubmit=true",false
		sender.setRequestHeader "COOKIE", left(cookie,instr(1,cookie,";")-1)
		sender.setRequestHeader "COOKIE", left(cookie,instr(1,cookie,";")-1)
		sender.send "<XML>Sent XML</XML>"

		'The response from the ASP page. 		
		Response.Write "Request Header Cookie received by receiver:</br> " & sender.responseText & "</br>"

%>

    Receiver.asp: 
    <%
	Response.Write "Cookie:" & Request.ServerVariables("HTTP_COOKIE")
%>
  7. Run Sender.asp from the following location: http://localhost/Test/Sender.asp
Notice that the Receiver cookies are missing.
Modification Type:MajorLast Reviewed:6/6/2003
Keywords:kbbug kbfix KB326847
©2002 Microsoft Corporation. All rights reserved.