Internet Explorer Eats Cookies with Underscores in the Hostname
Develop | Posted July 01, 2009

While working tech support the other day, I tracked down, with the help of a couple of other developers, a curious issue reported by a customer. They had Code Reviewer, the lightweight version of our peer code review tool, installed and working, but could only login to the web UI from the server machine itself -- and even then only by using http://localhost:8080. Attempts to use http://host_name:8080 or failed. They could reach the server and get the login form, but upon submitting the form, users were not being logged in.

As it turns out this is a well known "feature" of Internet Explorer, and possibly Safari. It does not store cookies when there is an underscore in the hostname or domain name. Since this particular customer had an underscore in the server's host name, Code Reviewer's session cookies were not being stored or sent with requests. Thus the user was perpetually logged out.

I suggested that the customer take one of three steps to resolve the issue:

  1. Use Firefox because it handles hostnames with underscores.
  2. Rename the server machine (or at least get a DNS alias for it). This way users could access the server with the alias, which would not have underscores, and cookies would work fine. 
  3. Use .hosts files to simulate a DNS alias. Since this was a small group (they had taken advantage of our 5 for 5 deal so I knew they were small), so updating all the relevant .hosts files was not too much of a burden. 

Ultimately, this particular customer chose the .hosts file route and they are now up and running. If you run into this issue, with Code Reviewer, Code Collaborator, or any other web application, you can choose any of those workarounds and it will probably resolve your issue.

Now for the rant. What was the Internet Explorer team thinking? It seems they made it as difficult as possible for users to understand what's happening. Instead of secretly eating the cookies, why not let the user know what's happening? Give them a choice in the matter or at least tell them they don't have a choice. Or, better yet, do like Firefox and try to do the right thing for your users, even if it means accepting cookies that are in violation of various RFCs.

For example, IE could simply not navigate to sites with underscores in the hostname. If violating RFC 1123 is grounds for having your cookies ignored, maybe it should be grounds for being entirely inaccessible. At least this behavior would be consistent and, provided there was sensible error messaging, it would give unwitting users with control of their hostnames a chance to fix the problem.

Alternatively, make it a warning and give the user the opportunity to decide whether or not to navigate to the site. If the user does navigate to the site, it should work like the user would expect any other site to work. Respect the user's security preferences with regard to cookies. No special behavior.

If you then assume that most people will not read the warning message and will instinctively click the "Yes, please do what I asked you to do" button, then you remove that button and you are right back to where Firefox is. If you can resolve the name and access the server, it gets no special treatment. And that is exactly how it should be.