After many hours of debugging some strange error occurring on our classic asp website, I found what could be the cause of the error when reading the Request.Cookies collection.
An example of HTTP_COOKIE header received from the client browser is:
HTTP_COOKIE:=true; ASPSESSIONIDSQRRDDRS=PAMMOMMAKGDHMAOGLEJPMLIM; X-XAct-ID=e8eb8d86-670c-46ef-ba64-14cc931fd13f; 643af15a72242b4dd892fe8c0c088a39=d60badbf9bebc14f573b4aa7f0474deb; sid=fr33cf49981a883ca433dd333692832ffdd8ee8a; _locale=pt_BR; 21411886ec077054c92080ba94ba91a2=fac31597bd8bf7e4cb5991c7547ad58c; brstyleid=9; brsessionhash=9d5dce337d314e85ec44a9b69a258fbd; brlastvisit=1438799253; brlastactivity=0; lnlang=no; _talentoday_session=3e9172578651a5bd36a9687bfadf7ada; sticky=no-match; BBC-UID=f5f51c92557579d5f8b9575621a86a8a48e81e9c3020707c72e9631f89622caf0Mozilla%2f5%2e0%20%28Macintosh%3b%20Intel%20Mac%20OS%20X%2010%2e8%3b%20rv%3a21%2e0%29%20Gecko%2f20100101%20Firefox%2f21%2e0; ypsession=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22f90505e4298571bc306b4845413b42b2%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A11%3A%225.9.145.132%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A65%3A%22Mozilla%2F5.0+%28Windows+NT+6.2%3B+rv%3A21.0%29+Gecko%2F20130326+Firefox%2F21.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1438799253%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7D0214f53a8afe0b556dd83f2b1a3ee88d; yumpu_slc=no; ASPSESSIONIDSQDSCQTS=BLAAJGIAHPOPIFJKJBFGGCOD; ljident=2969834924.20480.0000; ftrlan=en; ismobile=0; geneweb_base=bengos; gntsess5=06cfbqo0i1qgcfecn5f56msfo4; autolang=fr; device_view=full; experiments_groups=51bdba5bd9f6233a5042745665e03d3265a87fac%7Ea%3A1%3A%7Bs%3A6%3A%2278%3A115%22%3Bs%3A8%3A%22archives%22%3B%7D; session=4e62cb6c840cd84689029e488605282970fc2925%7E55c2559636cbe2-35808714; ASP.NET_SessionId=ivmbtcjboba0sft03rrksblk; PD_Captcha=rcount=1&SearchResults=http%3a%2f%2fdoctor.webmd.com%2fdoctor%2fgonzalo-de-quesada-md-537ca80f-752d-4aaa-82c3-1c2c7b447022-appointments; NSC_epdups-xfc.dpo.tfb1*80=ffffffffaf1a188345525d5f4f58455e445a4a423660; SESSION_ZIG=Yzg1NmRjYThkMjE4MWE5OGQ2M2Q3YTU2NzNmOTE0NGE6OjdjZDFkYzZjYTcyMzYxNDRhMTI1YWVkNjM2ZWIxNDUy; GSCK_AVCA=YToxOntpOjcwNzM4O2k6MTQzODc5OTI1NDt9OjpmZWY4MWViYTU5NTJiYzU5MTVlZmVlMTQ4YWY0M2JhNg%3D%3D; _uv_id=1466248598; SERVERID=r88|VcJVm|VcJVm; SESS57cde0ccb3a63ef1692b1270e90b46cc=bctkcqro3j98uvgn84e7h7e5i0; VISITOR_INFO1_LIVE=k__fn-xf0m4; YSC=NKv9iWTX4AQ; s1=6q5M2Ujn7Qdc663oy88WrFn4_wmABvFNB; __cfduid=d7d5f0bf9eb9853a44349aa3aafac5ec51438799254; CAKEPHP=hi2u1sapas3r6n7iuje3nvbg15; visited=20150805; PHPSESSID=vbdub74d1ee6uvs42rlgaejjt3; BX=7sb6jvdas4lcn&b=3&s=fi; NID=70=hRIXSnhVo35s-0cSEvmn7mHoqIgfYGjFsgRMvATllAVMIXg_Q6eZpVITVZDVRmYD5TnbJCm1kBAIk1Hamk1ilSLtekGVSKRr51GZy1_-ul2AK8qXbdUBADsbuFLAC-xX; startD=R3876064936; session_id=7bb23c0df78d28170d038fa36d43f989; cat=198897; cpop=1
First, notice the first cookie is missing its key, is it valid and if not may it explain why I get an error when trying to access Request.Cookies collection ?
Also, except maybe "ASPSESSIONIDXXXXXXXX" cookies, all other cookies are even not belonging to my website domain, what the heck ? "correct" browsers should not send cookies from other domains right ?
This guy user agent string is: Mozilla/5.0 (Macintosh; Intel Mac OS X 107) AppleWebKit/534.48.3 (KHTML like Gecko) Version/5.1 Safari/534.48.3
, i would think Safari would follow this domain rule... anyway it does not seems related to a specific browser because i get many similar request with other browsers...
Any idea what is happening ?
I found with the ip addresses that requests were not legitimate and probably made by a bot which is spoofing user agent string.
And also found that any attempt to read Request.Cookies raise an error when the cookie request header contains a cookie with no key like "=true", it is sad they didn't think of ignoring invalid cookie strings when implementing the collection.