0

We experience an issue where in IIS advanced logs we see that the requests arrive with SOME of the cookie values missing. Of course the values are missing in the application layer as well. This is from various IPs and from various devices.

The machines are EC2s behind AWS load balancer. Can the load balancer somehow temper the HTTP headers? We are really clueless where to the cookie values disappear.

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36" "Capping111_3=; UU=; Capping181_3=359%2c0%2c0%2c1%2c1440%2c%2c0%2c7%2f19%2f2015+11%3a59%3a59+PM; ID=; Capping108_3=; lastURL=; ASP.NET_SessionId=3xj4v3nnrua0ncuvdaalvdum;

realPro
  • 101
  • 1
  • To be clear, you are saying the cookies themselves (specific keys) are present, but their *values* are missing (empty). For example, `lastURL=;`. Is that right? – Michael - sqlbot Jul 24 '15 at 12:42
  • My guess would be an application error, or someone trying to hack the system by trying different non-standard values in headers / cookies. – Tero Kilkanen Jul 24 '15 at 12:45
  • @Michael-sqlbot Yes – realPro Jul 24 '15 at 14:40
  • @TeroKilkanen As I sad, we see the http headers in IIS advanced logs, which are intercepted at the networking level before hitting the application layer. The values have nothing non standard. – realPro Jul 24 '15 at 14:42
  • @Michael-sqlbot Also I should mention that this is happening for about only 0.1% of the requests. – realPro Jul 24 '15 at 14:48
  • I am inclined to agree with @TeroKilkanen that you have an application bug or non-legitimate user. You'd almost need to capture the headers from the browser side to be certain that they're leaving the browser intact and being munged in transit. Absent invalid encoding of the values (which seems unlikely for more reasons than one) or a defect in ELB, I'm at a loss for explanation for ELB emptying the values but leaving the cookies themselves present. – Michael - sqlbot Jul 24 '15 at 16:14
  • @Michael-sqlbot The thing is that it is impossible to set a cookie with an empty value, so I don't see how this can occur at the application side. – realPro Jul 24 '15 at 19:03
  • Impossible? Perhaps someone else can weigh in on that. Your framework might not allow it, but I don't think it's impossible, though browsers might not behave consistently. Next question, though, is whether you are using sticky sessions (affinity) in ELB, and if so, is it ELB-controlled or application-controlled stickiness? – Michael - sqlbot Jul 24 '15 at 22:01
  • @Michael-sqlbot Impossible according to the specifications, I think. We use round robin. – realPro Jul 25 '15 at 15:48

0 Answers0