Nasty IIS/ASP Querystring Cookie Case Bug

I just stumbled on a nasty, nasty ASP bug that took about 7 years for me to see.

The problem happens when using cookies and querystrings with the same name. A page on the site reads in a variable from the querystring and sets a cookie with the same name to its value, e.g.:

strSrc = Request.QueryString(“A”)
Response.Cookies(“A”) = strSource
Response.Cookies(“A”).Expires = Now + (2 * 30)

However, if the variable name in the query string is different from the capitalization of the cookie name (e.g page.asp?a=xxx) then a new cookie gets set with the name matching the captialization of the
QueryString variable.

So if you run the page multiple ways, a=123 and A=123, two different cookies are set EVEN THOUGH YOUR CODE SAYS Response.Cookies(“A”) = strSource!

Attempting to read the cookie value back then returns both values. Reading the cookie value via Request.ServerVariables(“HTTP_COOKIE”) shows both values.

If your code is looking for the “A” cookie later on and there are two cookes there, you will only see the “A” one, which may not be the one you want.

Since I ran into this, I did see other complain about this as far back as 2003: here, here, here.