Cookie handling for hosts/domains with the underscor (_) character

By design Issue #110674

Details

Created
Apr 27, 2014
Privacy
This issue is public.
Found in build #
0.0011
Reports
Reported by 0 people

Sign in to watch or report this issue.

Steps to reproduce

URL = https://rlw-wsv-ts_test/RDweb

URL:

Repro Steps:

The problem was first noted on an internal enterprise server running Server 2012 Terminal Services with RDWeb. The problem can be reproduced on any website which requires cookies for operation where the URL provided to IE has an underscore in the host portion of the name. OWA is another notable example.

The URL which originally provided the problem was https://rlw-wsv-ts_test/RDweb.
Logging in would cause the client to be taken back to the login screen. Capturing data with fiddler indicated the server (IIS8) requested to set a cookie, and that subsequently, the client (IE10) did not reply with the cookie.

Expected Results:

One of three things would be reasonable to expect:

  1. At the very least, one would think IE could provide a warning that it won’t be accepting cookies for this domain due to an underscore in the host portion of the URL.
  2. Provide the user a warning and an option to choose to allow cookie transactions with the current site for the domain in question.
  3. Realize 80%+ of users would click yes anyway and go the Chrome/Firefox way and make it function as the user already intuitively expects (cookies are accepted for the appropriate domain)

Perhaps less reasonable would be to accept cookies in an “inPrivate” mode, where new cookies can be set for the session, but not saved. This would be less functional long term but would suffice in many cases.

Actual Results:

Attachments

0 attachments

    Comments and activity

    You need to sign in to your Microsoft account to add a comment.

    Sign in