19

IE10 appears to handle cookies and subdomains differently than other major browsers (IE8, IE9, Firefox, Chrome, Safari).

We use subdomains extensively for test environments, e.g.:

  • user1.devel.example.com
  • user2.devel.example.com
  • qa.example.com

And our production environment lives at the top, e.g. example.com (and technically at www.example.com as well).

We use the php setcookie($name, $value, $expires) function naively (no explicit path or domain is specified) to set a cookie, and then clear cookies (when user logs out) by assigning an empty string to the value. This has always worked fine, and each unique subdomain used their own cookies.

IE10 now "shares" the cookie that was set in the TLD with all subdomains. The initial symptom we observed was that no one could log out of the subdomain. We've observed a few things:

  • Even though it shares the value, no subdomain is able to clear the cookie.
  • When the TLD clears the cookie, it is immediately removed from all subdomains as well.

Has anyone else observed similar behavior to how IE10 stores/applies cookies relative to subdomains? Is there any workaround, other than being explicit about which domain the cookie applies to when sending the initial Set-Cookie header?

Undo
  • 25,519
  • 37
  • 106
  • 129
Mike Griffith
  • 1,201
  • 11
  • 17
  • I've experienced troubles with IE10 and cookies. I don't know if your problem is the same. See here for more informations on my problem : http://stackoverflow.com/questions/15856886/ajax-on-ie10-dont-send-cookies – jmcollin92 Apr 06 '13 at 22:49
  • This behavior is present in IE8 and IE9, too. – Rob H Sep 18 '13 at 14:05

4 Answers4

16

I have just run into this issue.

Here is a link to someone exploring this bug/issue: Cookies with and without the Domain Specified (browser inconsistency)

This also might be related: Cookie set for subdomain, but IE Developer Tools show cookie at root domain. What am I missing?

My conclusion is that when setting a cookie from a non-www root domain ( http://sites.com ), in IE this is seen as a wildcard cookie for all subdomains. Chrome and Firefox do not show this behavior - they associate a cookie set from a non-www root domain as being associated only with that root.

I coded up example sites using .net webforms, IIS and my hosts file. I had 3 sites: a.site.com, b.site.com and site.com. They all served cookies with the exact same name. Let's call it "ShoppingCart".

You can set multiple properties on cookies, including the domain the cookie should be associated with. I left this property to be defined/left undefined by .net. When Chrome received the cookie from each site, it displayed the domain of the cookie as being explicitly from the domain listed in the browser address bar. In IE this was not the case. IE treats the cookie from http://sites.com as being defined as ".sites.com" and according to the RFC for cookies this means it is accessible from all subdomains.

Also in IE, if multiple cookies are set with the same name, IE returns them to the server in the order they were set. So if I visit http://sites.com first and then visit http://a.sites.com and then refresh, IE views the cookie from http://sites.com as a valid cookie to send to the server in it's request for http://a.sites.com which is sent along with the cookie for http://a.sites.com, except the cookie for http://sites.com is the first in the list.

In .net, from what I've seen, cookies are generally accessed by keyname and not by index. So when the server side code attempts to access the value for the key named "ShoppingCart", it will grab the value for the first site that set the cookie value - here that would be http://sites.com.

In summary - don't use non-www domains when you have subdomains that all share the same cookie key names because, while Chrome/Firefox handle the domain association as you would expect, IE causes buggy behavior.

Edit--

Just to clarify for anyone reading this, I was using IE10 to explore this issue.

Community
  • 1
  • 1
seangwright
  • 17,245
  • 6
  • 42
  • 54
3

Super easy way to fix this if you have multiple PHP sites on a domain.

For example - if you have Wordpress on the root (example.com) and you have a custom PHP app on the subdomain (a.example.com) then either within your app or Wordpress you need to set a different SessionName.

Add the session_name() prior to your session_start() which should give two seperate names to the session and therefore not clash.

session_name('AppSession');
session_start();

Easy.

user3658991
  • 95
  • 1
  • 5
  • Yes thank you this totally worked for me. I have example.com and webapp.example.com and the cookies from example.com were colliding in IE so I couldn't log into webapp.example.com. This fixed it for me, I just throw the domain name into the session name. `$sesName = (isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : $_SERVER['SERVER_NAME']); $sesName = str_replace('.', '', $sesName); $sesName = str_replace('-', '', $sesName); $sesName = str_replace(':', '', $sesName); session_name($sesName);` – Nico Westerdale Oct 26 '16 at 18:31
1

Yes, this is a known issues it seems, read here: http://blogs.msdn.com/b/ieinternals/archive/2009/08/20/wininet-ie-cookie-internals-faq.aspx

They refer to this test: http://debugtheweb.com/test/cookieinherit.aspx and http://www.debugtheweb.com/test/cookieinherit.aspx

David d C e Freitas
  • 7,481
  • 4
  • 58
  • 67
0

I am having same issue in IE 11.0.9600 for php session cookie: Internet Explorer is sending root domain cookies to all its subdomains. To solve this, I store the domain name in a session variable:

$_SESSION['URL'] = str_replace('www.', '', $_SERVER['HTTP_HOST']);

Then for every request, I check the session variable:

if ( str_replace('www.', '', $_SERVER['HTTP_HOST']) !=  $_SESSION['URL']) {
  session_regenerate_id(true);
  $_SESSION = array();
  $_SESSION['URL'] = str_replace('www.', '', $_SERVER['HTTP_HOST']);
}

Then, when we move from the root domain to the subdomain, we will not be 'in' the same session.

Andy Mikula
  • 16,796
  • 4
  • 32
  • 39
Vas
  • 1
  • 2