rack-devel archive mirror (unofficial) https://groups.google.com/group/rack-devel
 help / color / mirror / code / Atom feed
* Cookie on a subdomain can get lost/hidden on IE
@ 2010-12-01 23:59 Jan M.
  0 siblings, 0 replies; only message in thread
From: Jan M. @ 2010-12-01 23:59 UTC (permalink / raw)
  To: Rack Development

This isn't really a bug in Rack but it is some really unexpected
behaviour that caused a bug in my application that literally cost me
days to figure out so I feel compelled to explain it here in case
someone else goes googling for lost session cookies in Rails on
Internet Explorer (which are handled by rack).

Here is the scenario:
- a user first visits "yoursite.com" and gets a session cookie
- the user then gets redirected to "www.yoursite.com" and gets a
different session cookie since www is a different subdomain
- here is where it gets ugly: as long as they are on the "www'
subdomain rack will now read the session store from "yoursite.com" but
write to the session store for "www.yoursite.com"

I looked into this but according to the RFC the order in which cookies
from subdomains are returned is not defined so rack really can't be
blamed, it just picks the first cookie it gets. The other browsers
only return the cookie for the subdomain instead of both cookies like
IE does.

The mitigation is to either make sure you do the redirect to the "www"
domain before hitting your app so it hasn't had a chance to set a
session cookie, or you can explicitly set the domain in the cookie to
".yoursite.com" (note the leading dot) so one cookie will cover both

The message I got from users is "I can't log in" from less than 1% of
my users. You can imagine it takes a while before I established what
happened, because it only happens to individuals who somehow typed in
the URL without www and only if they use IE.

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2010-12-01 23:59 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-12-01 23:59 Cookie on a subdomain can get lost/hidden on IE Jan M.

Code repositories for project(s) associated with this inbox:


This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).