I'm having a strange problem with cookies which are being sent and received properly but are inaccessible to JavaScript on Internet Explorer. Chrome, Firefox, Opera, and Safari JavaScript is fine.
Post to ".cgi?id=1234", response sets cookies, issues 302 redirect:
HTTP/1.0 302 Moved Temporarily Location: .html Set-Cookie: AID=1495763b4fc6d5f4290e2074ab1092f7; expires=Tue Feb 16 09:33:03 2010 GMT; path=/abc/members/0912/07/news01.html; domain=abc.example; ; Set-Cookie: LEADENDDATE=20091218; expires=Tue Feb 16 09:33:03 2010 GMT; path=/abc/members/0912/07/news01.html; domain=abc.example; ;Browser requests target page, including the cookies just sent.
GET /abc/members/0912/07/news01.html HTTP/1.1 Cookie: AID=1495763b4fc6d5f4290e2074ab1092f7; LEADENDDATE=20091218; Host: members.abc.exampleRun "javascript:alert(document.cookie);" in the browser address bar.
On IE, and IE only, the cookies aren't there. Other browsers are fine. This is true for IE6, 7, and 8.
So in summary,
The "wp.abc.example" sets a cookie on "abc.example", which is sent to the server in requests on "members.abc.example", but not visible to JavaScript on that page.
Why?
I thought maybe instead of "abc.example" the cookie should be set on ".abc.example" to allow subdomain matching, but even so it's being sent in the "members.abc.example" request header.
Basically it's acting as though "HttpOnly" is set on the cookie, even though from the Set-Cookie header example shown above, that flag is not included. Does the extra ";" maybe have some effect?
I'm having a strange problem with cookies which are being sent and received properly but are inaccessible to JavaScript on Internet Explorer. Chrome, Firefox, Opera, and Safari JavaScript is fine.
Post to "http://wp.abc.example./content/sv2.cgi?id=1234", response sets cookies, issues 302 redirect:
HTTP/1.0 302 Moved Temporarily Location: http://members.abc.example./abc/members/0912/07/news01.html Set-Cookie: AID=1495763b4fc6d5f4290e2074ab1092f7; expires=Tue Feb 16 09:33:03 2010 GMT; path=/abc/members/0912/07/news01.html; domain=abc.example.; ; Set-Cookie: LEADENDDATE=20091218; expires=Tue Feb 16 09:33:03 2010 GMT; path=/abc/members/0912/07/news01.html; domain=abc.example.; ;Browser requests target page, including the cookies just sent.
GET /abc/members/0912/07/news01.html HTTP/1.1 Cookie: AID=1495763b4fc6d5f4290e2074ab1092f7; LEADENDDATE=20091218; Host: members.abc.example.Run "javascript:alert(document.cookie);" in the browser address bar.
On IE, and IE only, the cookies aren't there. Other browsers are fine. This is true for IE6, 7, and 8.
So in summary,
The "wp.abc.example." sets a cookie on "abc.example.", which is sent to the server in requests on "members.abc.example.", but not visible to JavaScript on that page.
Why?
I thought maybe instead of "abc.example." the cookie should be set on ".abc.example." to allow subdomain matching, but even so it's being sent in the "members.abc.example." request header.
Basically it's acting as though "HttpOnly" is set on the cookie, even though from the Set-Cookie header example shown above, that flag is not included. Does the extra ";" maybe have some effect?
Share Improve this question edited Dec 21, 2009 at 7:08 ryandenki asked Dec 18, 2009 at 10:11 ryandenkiryandenki 1,8693 gold badges20 silver badges30 bronze badges1 Answer
Reset to default 7Eric Law wrote up a good article on IE's various cookie-handling quirks a while back. One of the questions he answers appears as though it may apply to your scenario:
Q8: Are there any limits to the HTML DOM document.cookie property?
A: [...]
Also, due to an obscure bug in the underlying WinINET InternetGetCookie implementation, IE’s document.cookie will not return a cookie if it was set with a path attribute containing a filename.
[...]
Note that your paths do include filenames:
Set-Cookie: AID=1495763b4fc6d5f4290e2074ab1092f7; expires=Tue Feb 16 09:33:03 2010 GMT; path=/abc/members/0912/07/news01.html; domain=abc.example.; ;
Set-Cookie: LEADENDDATE=20091218; expires=Tue Feb 16 09:33:03 2010 GMT; path=/abc/members/0912/07/news01.html; domain=abc.example.; ;
I suggest you try setting the cookies with filename-free paths, and see if that doesn't help...