IE Forgets Cookies on Sub-Domains with an Underscore

Internet Explorer Fail LogoOk, so one more reason to hate IE: Internet Explorer fails to hold cookies when viewing URLs that have a sub-domain with an underscore. I found this when the project I'm developing just refused to hold on to a session when viewing the site from Internet Explorer. Almost all of the server-side technology I was using was new to me, so I lost a full day trying to figure out if it was ColdFusion 9, IIS7, or the ColdFusion on Wheels framework that was breaking the sessions before I found out that the IE browsers choke on underscores. FireFox and Chrome didn't care about the underscore, but IE6 through IE8 lost their session because they couldn't hold onto the cookies for the site.

So, if you're loosing your sessions in Internet Explorer, check your URL. I'm not sure if there are other characters besides an underscore that would cause the cookie loss, but it wouldn't surprise me.



Rick O's Gravatar Maybe there's a misplaced modifier going on, so I'm not understanding your true point, but ... yeah. Underscores aren't legitimate characters in hostnames -- only letters, numbers, and the hyphen are legit. Anything else is supposed to go through IDNA encoding. Is it really a surprise that IE chokes on invalid input?
Jon Hartmann's Gravatar @Rick O: Its not surprising that it fails to understand an invalid input, but it is a problem if the other common browsers don't have an issue with it. Its also a problem when the only identification of the address being invalid is when a small part of the application seems to act strangely. While I understand that the sub-domain "dev_test" is not a legal value, IE lets me browse to that domain, displays the contents, but it just doesn't save cookies from there. If the sub-domain was truly "invalid", shouldn't there be a more obvious sign that something was wrong? Also, whats the harm in letting the invalid sub-domain work? Chrome and FireFox don't seem to have an issue with it at all.

This post is also partly just to provide an answer for any one trying to figure out why there sessions might be disappearing in IE: I did a lot of Googling for various terms trying to figure out what was going on, and it wasn't until *after* I figured out what was going on that I was able to find a post or article stating that an underscore in the sub-domain was the cause of the problem.
Eric's Gravatar Thanks! I just had this issue.
Luiz Vital's Gravatar Hey man!
Thanks for the post! It seemed unbelievable that this was happening with a site I developed... have never seem that mentioned before.
Surely if Microsoft implements any standard, it will do just half part of it, and poorly. Ridiculous!
Eugene's Gravatar Thanks.
It's very helpful. I had same problem, and after rename my machine, all work.
Paul's Gravatar I would almost argue that IE is only browser that is succeeding here. Some of the modern browsers are getting too lenient. For example I might have a broken html structure (bad code, typo, or whatever), and I don't realize until I open it in IE, because chrome and firefox will see the issue and try to correct it automatically -- I would rather have the browser fail so that I realize there is a problem.

That being said, it is odd that the site will work fine with the exception of cookies not working correctly. It would have been a lot easier to figure out if the site didn't work at all. And like you said, it wasn't until after I figured it out until I was able to use the right search terms to find anything about it.
Paul's Gravatar P.S. Thanks for the post!
Varghese's Gravatar Why they are not allowing this? Is there any round about to solve this issue, other than changing the URL? Not only in IE-8, the issue exists in IE-9 also.
Jon Hartmann's Gravatar @Varghese I've not heard of a work around, no, and I doubt that IE will change this behavior; they are technically on the right side of the standards. Sorry for that, but you'll probably have to change the URL.
Joe Wilkinson's Gravatar Thanks for the post--this was very would work fine on one host but not another.

Anyway, to the people defending MS...we're all developers here, right? When you get invalid input, do you ignore it and continue to work with crippled functionality that results in weird downstream behavior that's very tough to debug, or do you pop up a message box informing the user of their mistake? Please tell me it's the latter.

If it's the former, might I suggest the following:
Andy's Gravatar Thank you for blogging about this. What a nightmare to debug!
Jon Hartmann, July 2011

I'm Jon Hartmann and I'm a Javascript fanatic, UX/UI evangelist and former ColdFusion master. I blog about mysterious error messages, user interface design questions, and all things baffling and irksome about programming for the web.

Learn more about me.

Post a job. Find one.

Interested in becoming a sponsor? Contact me.