Internet Explorer ignores cookies on some domains (cannot read or set cookies)
Internet ExplorerCookiesInternet Explorer Problem Overview
I have a site, e.g. example.com
, where users can set their own subdomains (one user - one subdomain) and upload their own scripts, e.g. http://somedomain.example.com/xyzzy.php
would map to /www/somedomain/xyzzy.php
Now, on some of those domains, Internet Explorer 7 won't/can't accept cookies. Checked with Fiddler: the server sends Set-Cookie response correctly, yet the cookie never shows up in IE - for JS or Developer Tools. On request, IE7 doesn't send the Cookie header either.
The cookies are set for the user's domain (e.g. somedomain.example.com
), path is /
, tried different expiration options (past, future, current, "0"), are not HttpOnly, are not secure.
FF, Opera, Safari and Chrome all work without problems.
Why does IE ignore the cookies?
Internet Explorer Solutions
Solution 1 - Internet Explorer
Does one of the subdomains use an underscore? IE has problems accepting cookies from subdomains that don't follow the URI RFC.
Solution 2 - Internet Explorer
According to RFC1035 (Domain names - implementation and specification):
> [domain names] must start with a letter, end with a letter or digit, and have as interior characters only letters, digits, and hyphen.
Turns out some of the domains had an underscore ( "_" ) in them: some_domain.example.com
. Although this is a violation of the RFC, all other browsers work normally.
MSIE 7, on a domain with an underscore, silently drops all cookies for that host and refuses to accept new ones.
The only solution is to use RFC-compliant domains (I've replaced all the "_"s with "-"s and set up a RewriteRule so that traffic is redirected to the compliant domains).
Solution 3 - Internet Explorer
The problem doesn't only apply for underscores in domain names, but also for domain names starting with a numeric digit. So 1aaaaaaa.tld
is actually a non-standard domain name, which will cause IE to reject the cookie.
I solved it by using only www2.1aaaaaaa.tld
, and then adding rewrite rules for the 1aaaaaaa.tld
and www.1aaaaaaa.tld
hosts in .htaccess
. Don't know if that really qualifies as a standards-compliant solution.... but anyway, it seems to have solved the cookie problem.
Hope that helps someone!