ASP.NET Forms authentication cookie not set in IE9 regardless of browser cookie settings

Question

We have an ASP.NET application running on .NET 3.5 and are running into a problem with the forms authentication cookie not being set on IE9. We can see in the HTTP headers that the Set-Cookie header exists in the response, but the following request does not include that cookie.

I've tried changing every setting in IE that I could find that might relate to cookies and nothing helped. Specifically:

Tools > Options > Security > Trusted Sites > Added..

Tools > Options > Security > Uncheck 'Enable Protected Mode'

Tools > Options > Privacy > Accept All Cookies (lowest)

Tools > Options > Privacy > Sites > Added..

Tools > Options > Privacy > Advanced > Override automatic..

Tools > Options > Privacy > Advanced > Always allow session cookies

Here's the headers for the response with the cookie followed by the next request which doesn't include it:

HTTP/1.1 302 Found
Date: Sun, 29 Jan 2012 01:45:17 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Location: /Default.aspx
Set-Cookie: MyApp=34C244EF0AAD...; expires=Sun, 29-Jan-2012 03:45:17 GMT; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8520

    
GET /Default.aspx HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://app.myserver.edu/sec/login.aspx
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; MALC)
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: app.myserver.edu
Pragma: no-cache
Cookie: ASP.NET_SessionId=nybswv45aezj5wioscv832jg

Is there any way to find out why IE9 is not setting the cookie? Anything I can adjust in my Web.config that would affect this? My authentication section is this:

    <authentication mode="Forms">
        <forms name="MyApp" loginUrl="/sec/login.aspx"/>
    </authentication>

"expires=Sun, 29-Jan-2012 03:45:17 GMT"? Old example headers? — sisve, Feb 03 '12 at 05:36
@Simon Svensson, yes, the example headers are old, but not that old. You're right, the time is the problem — Samuel Neff, Feb 06 '12 at 20:56

score 2 · Accepted Answer · answered Feb 06 '12 at 20:57

Simon Svensson was right in his comment. The headers posted above are old, but not as old as the date in the header. The server time is off by a few days so when the server is sending the expires time, even though it's two hours ahead of the server response time, it's past the expiration time according the the client clock.

Fixing the server clock resolved the issue. Thanks Simon!

score 0 · Answer 2 · edited May 23 '17 at 10:29

0

If you are loading the ASP.NET website within an IFRAME, you will need to include P3P headers. See Cookie blocked/not saved in IFRAME in Internet Explorer

I believe your site is working on Chrome, Firefox etc since you specifically mentioned IE9.

edited May 23 '17 at 10:29

Community

1
1

answered Feb 03 '12 at 05:25

Jeow Li Huan

3,758
1
34
52

Thanks for the comment and link. No IFRAMEs. – Samuel Neff Feb 06 '12 at 01:02

ASP.NET Forms authentication cookie not set in IE9 regardless of browser cookie settings

2 Answers2