This article was previously published under Q176113
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 7.0 running on Microsoft Windows Server 2008. IIS 7.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:
When a CGI application sends a Set-Cookie header with "302 Object Moved"response and Location header, Internet Information Server (IIS) ignores thecookie header.
This behavior is in violation of the CGI specification, which states, "Anyheaders that are not server directives are sent directly back to theclient. Currently, this specification defines three server directives..."
As a workaround, make sure the file name of the EXE begins with "nph-" andmanually create all HTTP headers in your program. "nph-" indicates to theserver that the CGI program is to be run in non-parsed headers mode. CGIhas two modes. In normal mode (parsed headers), you must send one of theCGI directives to standard output (Content-type, Location, or Status). CGIformats a valid HTTP response line based on the directive you sent. Itformats other standard HTTP headers for you, and it should include anyother headers that you have specified.
The other mode is non-parsed header mode. In this mode CGI does not set anyheaders itself. The CGI program must format a full HTTP response includingthe response line and all headers. The server will not add or modify anyheaders for you in this mode.
The convention is that a CGI program whose name begins with "nph-" is runin non-parsed header mode; otherwise, CGI programs are run in parsed headermode.
Microsoft has confirmed this to be a bug in the Microsoft products listedat the beginning of this article.
Steps to Reproduce Behavior
Compile this CGI program as a Win32 Console Application and place it in afolder on your IIS server where it can be executed: