IE Dropping Cookies

Report · Apr 08, 2015

So, we've just moved CF11 to our production servers. Among the many weird issues we've encountered is IE refusing to keep cookies set using CFCOOKIE.

Keep in mind this is only a problem in IE. Seems to be all versions: 6-11.

For instance, a user loads Page A where this code resides:

At the end of the page I dump out:

Result: YES

I then click a link and load a Page B (same domain) and dump out:

Result: NO

Why is IE dropping this cookie? All other browsers keep it.

Exception: if I add my site to IE's Trusted Site list then it will keep the cookie. WTF?

Also, the particular CFCookie code we're using has been in place and working for YEARS. Since CF7 at least.

It has also been working on our testing server running CF11 for months. It only stopped working when moved to our production servers.

The testing server and production servers are nearly identical: Win2008, IIS7, CF11. The ONE glaring difference is the testing server was installed with an early version of CF11 and is still running Java7. The production CF11 installed with Java 8. We have several issues on the production machine we suspect to be a result of using Java 8 as we've never seen them on the Java 7 test server.

Anyone have any idea if the new version of Java would change how CFCookie operates? Other ideas?

Report · Apr 12, 2018

I'm getting this same error myself in IE11. Same scenario with a CFOOKIE that writes successfully. Do a CFDUMP at the bottom of the same page, I see the cookie.

Then, on the same domain, on a different cfm page do a CFUMP of all cookies and my cookie isn't present.

I'm really frustrated with this. Tried a server-side work-around with CFCOOKIE since IE11 isn't writing .js cookies. And now I can't even read a cookie with IE,

Help anyone?

Report · Apr 12, 2018

I would strongly recommend using the dev tools available in IE or Chrome to see exactly what response headers are being written, including that of the cookie. Nothing in CFCOOKIE has changed, but how browsers handle cookies has changed quite a bit.

Dave Watts, Fig Leaf Software

Report · Apr 12, 2018

I pasted this from the Dev tools response header and pasted the CFTOKEN above my cookie. The only noticeable difference is that mine is not HTTP only. Other than that, nothing looks out of the ordinary, but let me know if I should look at something else...

Key Value:

Set-Cookie CFTOKEN=d4061cb9ac8bb409-543EA86E-DEF6-F1D1-1648F6EAC3D6E33D; Expires=Sat, 04-Apr-2048 20:51:03 GMT; Path=/; HttpOnly

Key Value:

Set-Cookie ZAXTERMS=yes; Expires=Sat, 04-Apr-2048 20:51:03 GMT; Path=/

Report · Apr 12, 2018

If you're having a problem getting IE to accept ZAXTERMS when it is successfully accepting CFTOKEN, maybe IE is only accepting HttpOnly cookies from untrusted sites?

Dave Watts, Fig Leaf Software

Report · Apr 12, 2018

Hmmm, so does this mean I can't set my own cookies with IE? I'm not an IE person, so are the users going to have to set up my site as a Trusted site in order to process the site's cookie? I do have a javascript process to read the cookie for existence. I'm not sure what to do here. Any help appreciated!

Report · Apr 12, 2018

It means you'll have to use the http attribute with CFCOOKIE, like this:

ColdFusion Help | cfcookie

Dave Watts, Fig Leaf Software

Report · Apr 12, 2018

Oh, and you'll probably have to get rid of the JS that reads the cookie, probably.

Dave Watts, Fig Leaf Software

Report · Apr 13, 2018

Thank you, Dave. It looks like I'm going to abandon a Terms of Use popup check that uses javascript and the cookie to determine access to certain pages. Will have to do it server-side. All because of IE. Ugh.

Report · Apr 13, 2018

And... the httponly cookie isn't being recognized either in IE. It's being written as httponly:

Key Value

Set-Cookie ZAXTERMS=yes; Expires=Sun, 05-Apr-2048 15:05:43 GMT; Path=/; HttpOnly

Then I load the 2nd page that dumps the cookie. Only CFID and CFTOKEN are set.

Report · Apr 13, 2018

Do you have a sample URL available to the public?

Dave Watts, Fig Leaf Software

Report · Apr 13, 2018

Unfortunately I only have a locked-down staging site. Is there something else I can check and post here?

EDIT: I'm also finding out that IE is not saving SESSION variables which affect saving a user's login session id. So if someone logs in with IE it bounces them back to login because of an unrecognized session variable.

I'm also trying this on two different machines. A Windows laptop and a VM with IE on a Mac and both are giving me the same issue. I set the IE security settings as low as I can get them.

Report · Apr 14, 2018

The issue was that Microsoft does not allow cookies to be written when the URL has an underscore in it. Yep.

I confirmed this by changing our staging URL to use a '-' instead of '_' and cookies are now be written and read successfully in IE.

An article about this issue: https://ma.ttias.be/internet-explorer-wont-allow-cookies-subdomains-underscores/

Thanks for your help on this, Dave Watts!

Report · Apr 12, 2018

We simply stopped supporting IE. Right or wrong, it's what we did.

Adobe Community

IE Dropping Cookies