I have an ASP NET MVC 3 app with a page with some paramater being set (let say region='North').
When this get posted back to server, I set this parameter as a session variable and return three images having their src attribute set to three different controller/getImageXy urls.
Now, these controller methods execute a query (based on a session variable) and return images. It's kinda neat, user gets a quick reply and then those images get populated (asynchronously).
Everything works fine in FF. The initial reply has a ASP.NET_SessionID set (cookie).
FF, then, GETs three images, with the same cookie, and everything is fine.
Chrome and IE, however, don't.
They're just sending __RequestVerificationToken_Lw__.
Naturally, my session variable ("region") gets lost.
Thanks,
Igor
To answer my own question and probably save someone few hours:
The problem was that I was setting the domain attribute on session id cookie.
Why did I do that?
I copied it from the book "Proffesional ASP NET MVC 3", page 163, having the intention to set the HttpOnly flag. Quote:
You can stop script access to all cookies in your site by adding a simple flag: HttpOnly. You can set this in the web.config like so:
<httpCookies domain=”String” httpOnlyCookies=”true” requireSSL=”false”/>
I was punished for copy pasting without thinking.
So, when I changed this to domain="", the issue was fixed.
Interestingly, FF was ignoring (or misusing) this attribute, but that is another topic.