IE Cookie Domain Bug
I run across bizarre IE bugs from time to time, but this one was obscure enough that it bears repeating.
We created a beta site for Chow at beta.chow.com to test out new features and wanted our login cookies to work across both domains, so we changed the existing code to:
cookies[:pk] = { :value => 'foo', :domain => '.chow.com' }
Pretty simple, but we ran into a couple of problems.
The first is that cookies.delete(:pk) won’t work, because you can’t pass options to it which is problem when you’ve set the domain manually.
You can get around this by setting the same cookie with :expire => Time.at(0). Chris wrote a patch to fix this a year ago, but I digress.
A much worse problem is when you’ve set different cookies with a ‘www.chow.com’ domain and a ’.chow.com’ domain.
Firefox and Safari handle each cookie correctly, but IE will use the domain from the cookie it read in last.
This meant any user trying to access the beta site couldn’t get in because IE was using the www.chow.com cookie. This hasn’t been fixed in IE 7 either.
If your curious how something like this would happen in the first place, we set a timezone cookie via javascript (using my Zoned Rails plugin) and set the rest of the cookies within our application code.
I had updated the app code to use the ’.chow.com’ domain, but neglected the javascript thus causing the issue.
Sorry, comments have been closed for this post.