28.03.2011

The underscore affair - No cookies for IE!

 Per Bernhardt

Let me tell you yet another story about IE as the perfect weekend companion: I was deploying a web application to a customer's test environment for some finishing touches. I soon noticed that I could not login with IE, while everything worked fine with the "normal guys" (FF, Opera, Chrome, Safari...). Some frustrating hours of curl/telnet/tcpdump, crawling forums and reading blogs followed, but the only thing I could say is that IE was constantly ignoring the session cookie.

Let me tell you yet another story about IE as the perfect weekend companion: I was deploying a web application to a customer's test environment for some finishing touches. I soon noticed that I could not login with IE, while everything worked fine with the "normal guys" (FF, Opera, Chrome, Safari...). Some frustrating hours of curl/telnet/tcpdump, crawling forums and reading blogs followed, but the only thing I could say is that IE was constantly ignoring the session cookie.

It was a blog comment that finally helped me. After tons of IE security issues and apache configuration settings that had nothing to do with the problem, one guy casually mentioned that IE does not accept cookies from domain names containing an underscore. The customer had named his host "foo_bar.company.local".

To be fair, the domain name RFC does not permit underscores, so IE was not really doing it wrong. But one of the major principles of web architecture is tolerance: "Be conservative in what you do and liberal in what you expect". IE is doing neither.