Forum Discussion

rjordan's avatar
Icon for Nimbostratus rankNimbostratus
Apr 15, 2011

cookie persistence problem - IE8 cookie domains

I'm having some issues with session persistence. I'm using the default cookie insert method (only customized the name) and it seems that IE requests are sending cookies for domains that don't really match. If the browser requests, shouldn't the cookie domain be set to "", not ""? It seems that IE does not follow this practice, but Firefox works properly.


The web application has some chatter between and (separate VIPs) and IE is sending the persist cookie for in the request for The load balancer dumps both cookies, makes a new load balancer decision and sends a new cookie in the response. This what it looks like:



Request to


response: LB-Persist=ABC New persist cookie for



302 to


request: LB-Persist=ABC Why is it sending the cookie for


response: LB-Persist=DEF New persist cookie for



302 to


request: LB-Persist=ABC Properly sending cookie in the request



302 to


request: LB-Persist=ABC Again incorrectly sending the cookie for


request: LB-Persist=DEF Also sends appropriate cookie for


response: LB-Persist=GHI The response includes a new persist cookie and the session is lost



Has anyone dealt with this before? I'm hoping the persistence settings can be modified without dealing with iRules. We have several hundred VIPs and it could be a management nightmare if we have to customize each one.





2 Replies

  • According to RFC-2109, the leading period before the domain name field in an HTTP cookie is required:

          Optional.  The Domain attribute specifies the domain for which the
          cookie is valid.  An explicitly specified domain must always start
          with a dot.

    Lots of browsers will accept cookie domains without leading dots, but it's non-standard.

    Now then, on to your other issue. The domain on a cookie will match host "" and "" as well. Firefox will take a cookie without a leading period set and declare it an "exact match" (this is actually called "Netscape cookie compatibility"), which is why this isn't broken on Firefox but is under IE. The trouble here is that Microsoft is reading the standard one way and the Mozilla folks another -- and that's not likely to change.

    You're going to have to use a different persistence cookie name on each site. That's the most "compatible" way to handle this.
  • I am facing kind of similar issue. I have two domains (primary and secondary) mapped to in the hosts file. I have web application deployed on weblogic (only one application deployed).







    Now I open up IE8 and go to primary domain i.e. and login successfuly. The session cookie I see in the response is






    Now I open another tab in the same browser window of IE8 and try to navigate to subdomain (


    ). Now the subdomain also has the cookie from primary domain. Though I try to clear it by setMaxAge(0), setPath("/"), setdomain, however this cookie does not clean out which causes the weblogic to not accept the session, returns me to the Login page on the second ie tab (subdomain).



    This does not happen if instead of a tab I open up a new browser window.



    This issue does not occur on firefox, chrome. Please provide a solution to this issue