Forum Discussion
rjordan
Nimbostratus
Nimbostratuscookie persistence problem - IE8 cookie domains
I'm having some issues with session persistence. I'm using the default cookie insert method (only customized the name) and it seems that IE requests are sending cookies for domains that don't really m...
Joel_MosesNimbostratus
NimbostratusAccording to RFC-2109, the leading period before the domain name field in an HTTP cookie is required:
Domain=domain
Optional. The Domain attribute specifies the domain for which the
cookie is valid. An explicitly specified domain must always start
with a dot.
Lots of browsers will accept cookie domains without leading dots, but it's non-standard.
Now then, on to your other issue. The domain .domain.com on a cookie will match host "domain.com" and "sub.domain.com" as well. Firefox will take a cookie without a leading period set and declare it an "exact match" (this is actually called "Netscape cookie compatibility"), which is why this isn't broken on Firefox but is under IE. The trouble here is that Microsoft is reading the standard one way and the Mozilla folks another -- and that's not likely to change.
You're going to have to use a different persistence cookie name on each site. That's the most "compatible" way to handle this.