(IE8) Cookies have been reassembled!

Well, I said I would post back when I determined in what way IE8 was breaking my cookies, and I think I have.  The issue seemed to be a combination of a difference in behavior in which IE8 handles session cookies (cookies that are deleted when the browser closes) for linked resources (such as my opensearch xml specification) and an authentication policy I previously had on Svidgen.  That is, until recently, any un-authenticated HTTP request acted as an explicit sign-out.  I think this would still be a nice security precaution to implement, but IE8's cookie handling won't allow it.

My initial quick-fix for this issue was to give my opensearch specification some caching rules that would encourage browser to avoid requesting the spec on each page load (they really shouldn't be anyway).  However, because these caching directives are not necessarily adhered to, I have now also changed my session behavior to some extent.  Unauthenticated HTTP no longer act as an explicit sign-out on Svidgen.  If this behavior doesn't seem to match your experience with the site, please let me know as soon as possible!

I also found some forum posts floating around which suggested that IE8 requires the domain attribute to be set in cookie headers.  I updated all of my cookie-setting code to reflect this alleged requirement, because it's good to be explicit.  However, I am very skeptical that IE8 ignores cookies without an explicitly set domain.  In fact I think the requirement was probably "deduced" by a shoddy developer at whits end ... Point me in the direction of some documentation if I'm wrong.