Cookie on a subdomain can get lost/hidden on IE

["Jan M." <jmfaber@gmail.com>]

This isn't really a bug in Rack but it is some really unexpected
behaviour that caused a bug in my application that literally cost me
days to figure out so I feel compelled to explain it here in case
someone else goes googling for lost session cookies in Rails on
Internet Explorer (which are handled by rack).

Here is the scenario:
- a user first visits "yoursite.com" and gets a session cookie
- the user then gets redirected to "www.yoursite.com" and gets a
different session cookie since www is a different subdomain
- here is where it gets ugly: as long as they are on the "www'
subdomain rack will now read the session store from "yoursite.com" but
write to the session store for "www.yoursite.com"

I looked into this but according to the RFC the order in which cookies
from subdomains are returned is not defined so rack really can't be
blamed, it just picks the first cookie it gets. The other browsers
only return the cookie for the subdomain instead of both cookies like
IE does.

The mitigation is to either make sure you do the redirect to the "www"
domain before hitting your app so it hasn't had a chance to set a
session cookie, or you can explicitly set the domain in the cookie to
".yoursite.com" (note the leading dot) so one cookie will cover both
domains.

The message I got from users is "I can't log in" from less than 1% of
my users. You can imagine it takes a while before I established what
happened, because it only happens to individuals who somehow typed in
the URL without www and only if they use IE.