Web pages do not appear as expected when you publish a Web site by using a publishing rule in Internet Security and Acceleration (ISA) Server 2006

You publish a Web site by using a publishing rule in Microsoft Internet Security and Acceleration (ISA) Server 2006. When a user visits the Web site, the Web pages do not appear as expected. For example, the page layout may be incorrect, or parts of a Web page may not appear.

You experience this problem if the following conditions are true:

• You use Forms-based authentication (CookieAuth) in ISA Server 2006 to authenticate the users who visit the Web site.
• The Web site is running a Web application that uses one or more commas as part of the cookie content.

This problem occurs because of how ISA Server 2006 parses cookie content when ISA Server performs Forms-based authentication.

When you use Forms-based authentication, ISA Server must parse the cookie content to extract the Forms-based authentication cookie. ISA Server requires the Forms-based authentication cookie to authenticate the user. To parse the cookie content, the parsing code in ISA Server looks for a semicolon or a comma to separate individual cookies.

Note According to Request For Comment (RFC) 2965 Section 3.3.4, cookies may be separated by using either a semicolon or a comma. A cookie may have the following format:After ISA Server extracts the Forms-based authentication cookie, it rebuilds the cookie content. During this process, ISA Server separates the individual cookies by using a semicolon character together with a space.

Note ISA Server uses a semicolon to separate individual cookies regardless of how the cookies were separated originally.

Because of how the cookie parsing code works in ISA Server, any comma in the cookie content is replaced by a semicolon. Therefore, if a Web application requires commas in the cookie content, the Web application may not work.

Important A semicolon or a comma may be used as a delimiter in cookie content. Therefore, we recommend that a Web application does not use a semicolon or a comma as part of cookie content.

A hotfix is available for computers that are running ISA Server 2006. To resolve this problem, install the hotfix that is described in the following Microsoft Knowledge Base article:

Hotfix installation information

By default, the behavior that this hotfix provides is not enabled. To enable this hotfix, follow these steps:

1. Start any text editor program, such as Notepad.
2. Paste the following script into the text editor window.

   ' -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
   ' -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
   
   '    This code is Copyright (c) 2007 Microsoft Corporation.  
   '
   '    All rights reserved.
   '
   '    THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
   '    ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO
   '    THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
   '    PARTICULAR PURPOSE.
   '
   '    IN NO EVENT SHALL MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS BE
   '    LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY
   '    DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
   '    WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
   '    ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
   '    OF THIS CODE OR INFORMATION.
   '
   ' -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
   
   Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
   Const SE_VPS_NAME = "KeepCookieSeparator"
   Const SE_VPS_VALUE = true
   
   Sub SetValue()
   
       ' Create the root obect.
       Dim root  ' The FPCLib.FPC root object
       Set root = CreateObject("FPC.Root")
   
       ' Declare the other objects that are needed.
       Dim array       ' An FPCArray object
       Dim VendorSets  ' An FPCVendorParametersSets collection
       Dim VendorSet   ' An FPCVendorParametersSet object
   
       ' Obtain references to the array object
       ' and to the network rules collection.
       Set array = root.GetContainingArray
       Set VendorSets = array.VendorParametersSets
   
       On Error Resume Next
       Set VendorSet = VendorSets.Item( SE_VPS_GUID )
   
       If Err.Number <> 0 Then
           Err.Clear
   
           ' Add the item
           Set VendorSet = VendorSets.Add( SE_VPS_GUID )
           CheckError
           WScript.Echo "New VendorSet added... " & VendorSet.Name
   
       Else
           WScript.Echo "Existing VendorSet found... value- " &  VendorSet.Value(SE_VPS_NAME)
       End If
   
       if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then
   
           Err.Clear
           VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE
   
           If Err.Number <> 0 Then
               CheckError
           Else
               VendorSets.Save false, true
               CheckError
   
               If Err.Number = 0 Then
                   WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
               End If
           End If
       Else
           WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
       End If
   
   End Sub
   
   Sub CheckError()
   
       If Err.Number <> 0 Then
           WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
           Err.Clear
       End If
   
   End Sub
   
   SetValue

3. Save the file as a Microsoft Visual Basic script file by using the .vbs file name extension. For example, save the file as "Keepcookieseparator.vbs."
4. Click Start, click Run, type cmd, and then click OK.
5. Use the cd command to change to the directory to which you saved the .vbs file in step 3.
6. Type the following command, and then press ENTER:
   cscript Keepcookieseparator.vbs
   Note If you gave the file a name other than "Keepcookieseparator.vbs," modify this command as appropriate.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

To remove the change, use the following script.