Monday, December 7, 2009

(IE8) Cookies have been reassembled!

Well, I said I would post back when I determined in what way IE8 was breaking my cookies, and I think I have.  The issue seemed to be a combination of a difference in behavior in which IE8 handles session cookies (cookies that are deleted when the browser closes) for linked resources (such as my opensearch xml specification) and an authentication policy I previously had on Svidgen.  That is, until recently, any un-authenticated HTTP request acted as an explicit sign-out.  I think this would still be a nice security precaution to implement, but IE8's cookie handling won't allow it.

My initial quick-fix for this issue was to give my opensearch specification some caching rules that would encourage browser to avoid requesting the spec on each page load (they really shouldn't be anyway).  However, because these caching directives are not necessarily adhered to, I have now also changed my session behavior to some extent.  Unauthenticated HTTP no longer act as an explicit sign-out on Svidgen.  If this behavior doesn't seem to match your experience with the site, please let me know as soon as possible!

I also found some forum posts floating around which suggested that IE8 requires the domain attribute to be set in cookie headers.  I updated all of my cookie-setting code to reflect this alleged requirement, because it's good to be explicit.  However, I am very skeptical that IE8 ignores cookies without an explicitly set domain.  In fact I think the requirement was probably "deduced" by a shoddy developer at whits end ... Point me in the direction of some documentation if I'm wrong.


  1. I ran acroos your site while searching for an solution. My experience with the IE8 cookie issue is that it is related to paths.

    If an authenticated page say [domain]/EN/myPage.html

    Returns a session cookie. The cookie is added to requests to say ./EN/someother.html page, but is not added to the GET for a page higher in the tree like: ./broken.html surprisingly a reference to ./FR/works.html gets the cookie. It's as if it counts the slashes, and assumes that a reference higher up the tree structure is a different domain.

    Not sure why it does this certainly firefox doesn't, but it's driving me nuts. I've been forced to flatten all my directories to get around it. Still looking for some magic directive to get around it.

  2. I don't think that issue would have been playing a role on Svidgen. All of Svidgen's cookies *should* be getting set with a path of "/". Though, I don't doubt that IE8 is treating the path attribute differently than most other browsers ...