This post originated from an RSS feed registered with .NET Buzz by Scott Hanselman. Original Post: IE's Content Advisor, PICS Ratings and the ASP.NET Flakey of the Day Feed Title: Scott Hanselman's ComputerZen.com Feed URL: http://radio-weblogs.com/0106747/rss.xml Feed Description: Scott Hanselman's ComputerZen.com is a .NET/WebServices/XML Weblog. I offer details of obscurities (internals of ASP.NET, WebServices, XML, etc) and best practices from real world scenarios. Latest .NET Buzz Posts Latest .NET Buzz Posts by Scott Hanselman Latest Posts From Scott Hanselman's ComputerZen.com

GOTCHA #1: Here's a crazy thing.  Let me try to paint a word picture for you of the thing I debugged today with the info I was given in the order it was given:

Symptom: "So, Scott, it appears that users using the Content Advisor feature of IE (the one that's there to prevent kids from seeing naughty things) occasionaly and apparently randomly get logged out of our website"

Me: "That sucks."

Additional Information #1: "Turns out the get logged out when we open a new Window with target='_blank' or javascript:window.open."

Me: "That IS weird.  Good luck with that."

Additional Information #2: "With IEHttpHeaders we see that the Forms Authentication Cookie 'disappears' when this new window opens."

Me: "Well that's just kooky talk.  Cookies don't disappear, they are either tossed with the HTTP Header set-cookie directive, or they are not passed in the Http Request."

Additional Information #3: "Well, turns out that when Content Advisor is OFF, the interaction looks like this:

HTTP GET /somefile.aspx
RESPONSE 200
HTTP GET /somethingelse.aspx (we did a javascript.open)
RESPONSE 302 getthisfile.aspx
HTTP GET getthisfile.aspx
RESPONSE 200

But when Content Advisor is ON, we see this:

HTTP GET /somefile.aspx
RESPONSE 200
HTTP GET /somethingelse.aspx (we did a javascript.open)
HTTP GET /
RESPONSE 200
RESPONSE 302 getthisfile.aspx
HTTP GET getthisfile.aspx
RESPONSE 200

Me: "Well, crap. Who or what is asking for '/' in the middle there?  What's the Headers look like?"

Additional Information #4: "Let's see...when the Response to the GET of / comes back...oh...doh, look at that: 

Set-Cookie:AUTHCOOKIE=;
expires=Wednesday, 09-Nov-99 10:34:56 GMT;path=/

Me: "Hm...so clearly SOMEONE is tossing that cookie.  Well, the only place we erase that cookie is the login.aspx page.  Say, what's the DEFAULT page for this site?  It's login.aspx you say?  Oy.

CONCLUSION: When the Content Advisor is ON, Internet Explorer will request '/' from a site anytime a new window is opened.  It does this to request and cache the PICS data from either the page or the headers.  Turned out that on our site, when we opened a new window, IE would go and request the default page '/' which is set in IIS as login.aspx...and we had if(!IsPostBack) FormsAuthentication.SignOut() automatically logging folks out to be tidy.  The Content Advisor's overzealous retrieval of our default page logged the user out.  Damned interesting.

GOTCHA #2: One other thing to remember, if you DON'T have a PICS (Platform for Internet Content Selection) header in your Http Headers or as a META tag in your HTML then folks using Content Advisor in IE may not be able to view your site at all.

So, I just added a standard "I'm harmless" PICS header to the project-wide base page (in the OnLoad).

Response.AddHeader("pics-label","(pics-1.1 \"http://www.icra.org/ratingsv02.html\" comment \"ICRAonline EN v2.0\" l r (nz 1 vz 1 lz 1 oz 1 cz 1) \"http://www.rsac.org/ratingsv01.html\" l r (n 0 s 0 v 0 l 0))"

Also, there's a great PICS Rating Generator online as well.