IE Cookie Domain Bug
I run across bizarre IE bugs from time to time, but this one was obscure enough that it bears repeating.
We created a beta site for Chow at beta.chow.com to test out new features and wanted our login cookies to work across both domains, so we changed the existing code to:
cookies[:pk] = { :value => 'foo', :domain => '.chow.com' }
Pretty simple, but we ran into a couple of problems.
The first is that cookies.delete(:pk) won’t work, because you can’t pass options to it which is problem when you’ve set the domain manually.
You can get around this by setting the same cookie with :expire => Time.at(0). Chris wrote a patch to fix this a year ago, but I digress.
A much worse problem is when you’ve set different cookies with a ‘www.chow.com’ domain and a ’.chow.com’ domain.
Firefox and Safari handle each cookie correctly, but IE will use the domain from the cookie it read in last.
This meant any user trying to access the beta site couldn’t get in because IE was using the www.chow.com cookie. This hasn’t been fixed in IE 7 either.
If your curious how something like this would happen in the first place, we set a timezone cookie via javascript (using my Zoned Rails plugin) and set the rest of the cookies within our application code.
I had updated the app code to use the ’.chow.com’ domain, but neglected the javascript thus causing the issue.
Yay! This bug still exists. I just ran into it this morning with ASP.NET authentication cookies and custom cookies using different domains. Will it ever be fixed?
I’m having a hell of a time with this bug. I inherited a site that uses cookies to hold the cart contents. While I’ve put some checks to force it to www.domain.com I still don’t have a foolproof way of deleting the past cookies to help end users work past this bug.
thanks for the posting.