FIX: ServerXMLHTTP Does Not Return Cookies Using NTLM Authentication


You can use the ServerXMLHTTP object to retrieve and resubmit session cookies. You can retrieve the cookie from the Response header and resubmit the cookie through the Request Header. Everything works as you expect when you use the Anonymous authentication method. However, when you use the NTLM authentication method, and you resubmit the cookie, the cookie is lost.


To resolve this problem, use one of the following methods:
  • Method 1: Install MDAC 2.7 Service Pack 1 (SP1). This contains MSXML 3.0 SP3, which contains the fix. MDAC 2.7 SP1 is available for download at the following Microsoft Web site:
  • Method 2: Install MSXML 4.0 Parser. The MSXML 4.0 parser is available for download at the following Microsoft Web site: To use MSXML 4.0 change your code from the following Prog ID:


    to the following Prog ID:



Microsoft has confirmed that this is a bug in the ServerXMLHTTP component.
It has been fixed in the latest release of MSXML 3.0 SP3, which is included with MDAC 2.7 SP1.

More Information

Steps to Reproduce the Behavior

  1. In Windows Explorer, create a folder that is named Test in the root folder of your Web server THe root folder is typically found in the following location: C:\Inetpub\Wwwroot\.
  2. In the left pane of Internet Information Services, right-click the Default Web Site, create a Virtual directory that is named Test, and then point this Virtual directory to the Test folder that you created earlier in the root folder of your Web server.
  3. Double-click the Default Web Site, right-click Test, and then click Properties.
  4. On the Directory Security tab, click Edit, and then click to clear the Anonymous access check box. Make sure that the Integrated Windows authentication check box is checked for NTLM authentication.
  5. Use notepad to create a file that is named Sender.asp, and to create a file that is named Receiver.asp, and then save these files to the Test folder that you created earlier.
  6. Paste the following segments of code in each file as follows: Sender.asp:
    dim sender
    dim cookie
    'Step 1: Get the Session Cookie
    set sender = server.CreateObject("Msxml2.ServerXMLHTTP.3.0") "GET", "http://localhost/test/receiver.asp?resubmit=false",false
    cookie = sender.getResponseHeader("Set-Cookie")

    sID = mid(cookie,instr(1,cookie,"=")+1,instr(1,cookie,";")-(instr(1,cookie,"=")+1))
    'Display the Session cookie information
    Response.Write "Response Header Information From First Request: <br/><br/>"
    Response.Write "Response Header Cookie = " & cookie & "<br/>"
    Response.write "SessionID = " & sID & "<br/><br/>"
    Response.Write "Setting Request Header Cookie as: " & left(cookie,instr(1,cookie,";")-1) & "<br/>"
    Response.Write "<br/>"

    set sender = nothing
    'Step 2: re-submit the same Session cookie back
    set sender = server.CreateObject("Msxml2.ServerXMLHTTP.3.0") "POST", "http://localhost/test/receiver.asp?resubmit=true",false
    sender.setRequestHeader "COOKIE", left(cookie,instr(1,cookie,";")-1)
    sender.setRequestHeader "COOKIE", left(cookie,instr(1,cookie,";")-1)
    sender.send "<XML>Sent XML</XML>"

    'The response from the ASP page.
    Response.Write "Request Header Cookie received by receiver:</br> " & sender.responseText & "</br>"


    Response.Write "Cookie:" & Request.ServerVariables("HTTP_COOKIE")
  7. Run Sender.asp from the following location: http://localhost/Test/Sender.asp
Notice that the Receiver cookies are missing.

ID articol: 326847 - Ultima examinare: 28 nov. 2012 - Revizie: 1