I've been trying to track down irreproducible cookie problems with Internet Explorer. It seems that sometimes visitors get my "you must enable cookies" page when they are convinced they have cookies enabled.
After some detective work, I've found that IE sends something like:
s=5e264e693f0183c18714eb685191e07a;s=7f354325d7e85ae4c2d349387f884e4b
The first "s" is a invalid session id and the second is the one I want. Digging through CGI::Simple::Cookie I found (the same code is in CGI::Cookie):
# A bug in Netscape can cause several cookies with same name to
# appear. The FIRST one in HTTP_COOKIE is the most recent version.
$results{$key} ||= $self->new(-name=>$key,-value=>\@values);
I think the only option is to hack it to save an array of cookies and change my session handling code to try each session id. This is a total PITA.
Update:
From Netscape's Cookie Spec:
When sending cookies to a server, all cookies with a more specific path mapping should be sent before cookies with less specific path mappings.
Eureka! An older version of the system was not sending a domain (and thus defaulting to "www.example.com") and now we're using a domain of ".example.com". I guess it's my fault not IE's, I better get back to hacking CGI::Simple...