62

I have a site, e.g. example.com, where users can set their own subdomains (one user - one subdomain) and upload their own scripts, e.g. http://somedomain.example.com/xyzzy.php would map to /www/somedomain/xyzzy.php

Now, on some of those domains, Internet Explorer 7 won't/can't accept cookies. Checked with Fiddler: the server sends Set-Cookie response correctly, yet the cookie never shows up in IE - for JS or Developer Tools. On request, IE7 doesn't send the Cookie header either.

The cookies are set for the user's domain (e.g. somedomain.example.com), path is /, tried different expiration options (past, future, current, "0"), are not HttpOnly, are not secure.

FF, Opera, Safari and Chrome all work without problems.

Why does IE ignore the cookies?

Piskvor left the building
  • 91,498
  • 46
  • 177
  • 222
  • IE ignores that because its The Great IE! This question helped me. Thanks! – Sanket Sahu Oct 22 '13 at 09:32
  • 5
    @Sanket: Glad it helped. While IE is not my favorite browser, in this case, it is arguably not in the wrong here - the other browsers are quietly accepting a break from the well defined standard, whereas IE quietly rejects it. I'd say that both these approaches could be done better, but IE is not the Big Bad Guy here. – Piskvor left the building Nov 03 '13 at 12:08

3 Answers3

111

Does one of the subdomains use an underscore? IE has problems accepting cookies from subdomains that don't follow the URI RFC.

Thomas Orlita
  • 1,554
  • 14
  • 28
u07ch
  • 13,324
  • 5
  • 42
  • 48
52

According to RFC1035 (Domain names - implementation and specification):

[domain names] must start with a letter, end with a letter or digit, and have as interior characters only letters, digits, and hyphen.

Turns out some of the domains had an underscore ( "_" ) in them: some_domain.example.com. Although this is a violation of the RFC, all other browsers work normally.

MSIE 7, on a domain with an underscore, silently drops all cookies for that host and refuses to accept new ones.

The only solution is to use RFC-compliant domains (I've replaced all the "_"s with "-"s and set up a RewriteRule so that traffic is redirected to the compliant domains).

Piskvor left the building
  • 91,498
  • 46
  • 177
  • 222
  • Could you post the rewrite rule? It looks as though I will be doing something similar this week... – richo Apr 20 '11 at 01:54
  • @Richo: Can't post the exact thing (I no longer have access to that code), but will try to re-create it. – Piskvor left the building Apr 20 '11 at 08:08
  • 1
    Hi Piskvor, I actually found a much neater solution using RewriteMaps. I made a shell script that basically just contains `sed -u 's/_/-/g'` and then created a map with `RewriteMap sedmap prg:/path/to/script` and used that in my rewrite. – richo Apr 21 '11 at 06:44
  • Hmm... I have another application where IE refuses to accept any cookies that use a domain. As soon as a domain is applied IE (9 and 7 checked) both refuse to accept the cookie and silently fail. – Rick Strahl Apr 25 '12 at 06:43
14

The problem doesn't only apply for underscores in domain names, but also for domain names starting with a numeric digit. So 1aaaaaaa.tld is actually a non-standard domain name, which will cause IE to reject the cookie.

I solved it by using only www2.1aaaaaaa.tld, and then adding rewrite rules for the 1aaaaaaa.tld and www.1aaaaaaa.tld hosts in .htaccess. Don't know if that really qualifies as a standards-compliant solution.... but anyway, it seems to have solved the cookie problem.

Hope that helps someone!

ErikE
  • 48,881
  • 23
  • 151
  • 196
Tomas Ullberg
  • 1
  • 1
  • 2