I was able to confirm / reproduce what you're experiencing. I was also able to confirm that toggling IE 6's acceptance of 3rd party cookies changes the behavior.
Create an HTML on your local machine with the following line: <img src="http://www.atfantasy.com/test/image_status.php";> It'll load an image that says the cookie is not set. Next, open a new browser and go to http://www.atfantasy.com/test/index.php It'll set the cookie. Now go back and reload the first browser. It says the cookie is still not set. Go into IE's Privacy options and set IE to accept 3rd party cookies. Do another refresh in the first browser and the image will display saying the cookie is set. The test index also has other options for setting the cookie, unsetting the cookie, and displaying the image directly (not through your local page). I think all of this confirms what Curt was saying. If IE has access to third party cookies disabled, the local page may refer to a script elsewhere, but it won't pass cookies back and forth. Squarefree.com's article (http://www.squarefree.com/securitytips/web-developers.html) recommends a few solutions. -Ed > -----Original Message----- > > I am unable to re-produce a CSRF attack when the victim is > > using a I.E. 6.01 SP1 (all patches applied). However the > > attack works in Mozilla and other older browsers. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
