Internet Explorer ignores cookies on some domains (cannot read or set cookies)

Question

I have a site, e.g. example.com, where users can set their own subdomains (one user - one subdomain) and upload their own scripts, e.g. http://somedomain.example.com/xyzzy.php would map to /www/somedomain/xyzzy.php

Now, on some of those domains, Internet Explorer 7 won't/can't accept cookies. Checked with Fiddler: the server sends Set-Cookie response correctly, yet the cookie never shows up in IE - for JS or Developer Tools. On request, IE7 doesn't send the Cookie header either.

The cookies are set for the user's domain (e.g. somedomain.example.com), path is /, tried different expiration options (past, future, current, "0"), are not HttpOnly, are not secure.

FF, Opera, Safari and Chrome all work without problems.

Why does IE ignore the cookies?

Answer 1

The problem doesn't only apply for underscores in domain names, but also for domain names starting with a numeric digit. So 1aaaaaaa.tld is actually a non-standard domain name, which will cause IE to reject the cookie.

I solved it by using only www2.1aaaaaaa.tld, and then adding rewrite rules for the 1aaaaaaa.tld and www.1aaaaaaa.tld hosts in .htaccess. Don't know if that really qualifies as a standards-compliant solution.... but anyway, it seems to have solved the cookie problem.

Hope that helps someone!

Answer 2

According to RFC1035 (Domain names - implementation and specification):

[domain names] must start with a letter, end with a letter or digit, and have as interior characters only letters, digits, and hyphen.

Turns out some of the domains had an underscore ( "_" ) in them: some_domain.example.com. Although this is a violation of the RFC, all other browsers work normally.

MSIE 7, on a domain with an underscore, silently drops all cookies for that host and refuses to accept new ones.

The only solution is to use RFC-compliant domains (I've replaced all the "_"s with "-"s and set up a RewriteRule so that traffic is redirected to the compliant domains).

Answer 3

Does one of the subdomains use an underscore?
IE has problems accepting cookies from subdomains that don't follow the URI RFC.