Internet Explorer Cookies Bug

As a white labeling URL shortener, ShortSwitch.com needs to be able to support logins from not only our own domain but a user’s account domain as well.  One of our customers opened a ticket to inform us that some of his customers - namely those using Internet Explorer - were having problems logging in.

At the time we were setting the browser cookie to be .domain (e.g., .ab.cd, .abc.com) per a very nice write up on handling sessions in a multi-domain environment using Dynamic cookies and Rack.  After adding debugging lines all over the Ruby on Rails core code we found the problem - IE was not setting cookies for domains of less than five characters.

Internet research showed us Microsoft had fixed a bug where IE would not set a cookie for two letter domains.  Specifically they fixed it for root domains of two letters (e.g., ab.com).  But we had discovered that there’s still a bug in IE where cookies will not be set for domains that are less than five characters (e.g., ab.cd).  Our findings were confirmed on StackOverflow.

In Ruby on Rails not setting the cookie creates a problem - the server thinks each request is a new request causing it to regenerate a new auth token.  Any server request that checks the auth token will fail with the ever frustrating ActionController::InvalidAuthenticityToken error.

The solution we ended up using was to not set the domain as a value in the cookie for any domain other than ShortSwitch’s. Works just fine.

Thanks for keeping us on our toes, Microsoft.