IEInternals

A look at Internet Explorer from the inside out. @EricLaw left Microsoft in 2012, but was named an IE MVP in '13 & an IE userAgent (http://useragents.ie) in '14

Internet Explorer Cookie Internals (FAQ)

Internet Explorer Cookie Internals (FAQ)

Rate This
  • Comments 67

Over the five years I’ve worked on Internet Explorer, I’ve probably seen more questions from the community about HTTP cookies than on any other topic. Cookies are an integral component of most websites in use today, and hence problems or unexpected behaviors with cookies tend to get a lot of attention.

In this post, I’ll try to summarize the most common questions and answers I’ve seen related to Internet Explorer’s implementation of cookies. I may add to this FAQ over time.

 

Q1: IE’s cookie code doesn’t seem to support <something> as defined in RFC2109 or RFC2965.

A: Correct. Internet Explorer (including IE8) does not attempt to support any RFC for cookies.

WinINET (the network stack below IE) has cookie implementation based on the pre-RFC Netscape draft spec for cookies. This means that directives like max-age, versioned cookies, etc, are not supported in any version of Internet Explorer.

 

Q2: If I don’t specify a leading dot when setting the DOMAIN attribute, IE doesn’t care?

A: Correct. All current version browsers (Chrome, FF, Opera, etc) seem to treat a leading dot as implicit. Here’s a test case.

 

Q3: If I don’t specify a DOMAIN attribute when a cookie, IE sends it to all nested subdomains anyway?

A: Yes, a cookie set on example.com will be sent to sub2.sub1.example.com.

Internet Explorer differs from other browsers in this regard. Here’s a test case.

 

Q4: How many cookies will Internet Explorer maintain for each site?

A: As of August 2007, the per-host limit was increased from 20 to 50. The August update applied to IE5, 6, and 7. IE8 natively can support 50 cookies per host, and Firefox uses the same limit.

It’s worth mentioning that increased cookie limit actually broke the website of a major financial institution. The site depended on cookies beyond the 20 cookie limit getting dropped, and stopped working properly when the limit was increased. This is just one example of how tightly-coupled today’s web is to IE’s cookie implementation. That, in turn, is one reason why the IE team must exercise great care when making any change to IE’s cookie implementation.

The document.cookie property is limited to 10KB. 

WinINET will not respect a Set-Cookie response header value longer than 5118 bytes. WinINET allows 50 cookies, each of which is ~5kb long.  Hence a request could carry 250kb of cookies.  (eek!)

 

Q5: IE won’t set a cookie when the hostname/domain contains an underscore?

A: Correct. Technically, an underscore (like this _ ) is not a DNS character, and while Windows will let you use an underscore when naming your machine, it warns you that doing so may cause problems. One such problem is that WinINET blocks attempts to set cookies on such domains. See http://support.microsoft.com/kb/316112/en-us

 

Q6: IE won’t set a cookie for certain domains, like those of the format http://xx.yy?

A: Correct. The idea is that you may not set a cookie on a "top-level" domain shared by unrelated organizations. Historically, ccTLDs of the format xx.yy were effective TLDs, so cookies may not be set on them. While this heuristic was never perfect, it's been unchanged for over 15 years and hence is not likely to change any time soon. The intricacy of this issue merits a long blog post all its own-- see this post.

 

Q7: My site is not receiving cookies when it is running in an IFRAME and the parent page is from a different domain. Why?

A: Internet Explorer has restrictions on “3rd party” cookies. 3rd party cookies are cookies which are set or sent for resources from a different domain than the top-level browsing context. You can easily confirm P3P/Cookie restrictions as the root cause of such issues by temporarily changing IE’s Tools / Options / Privacy setting to “Accept All Cookies”.

In order to allow such cookies to be sent reliably, you should send a P3P header when setting the cookie.

You can use Fiddler’s “Privacy Inspector” to view and analyze any P3P Policy. To learn more about P3P and IE, see my quick P3P guide.

 

Q7b: My page doesn't receive or set cookies when it is running in an IFRAME with the SECURITY=RESTRICTED attribute. Why?

A: The SECURITY=RESTRICTED attribute on IFRAMEs indicates that the browser should treat the content as if it came from the Restricted Sites zone. Content in this zone cannot set or read cookies. Cookies will not be sent to the server, and cookies will not be set if received from the server. To resolve this problem, you will need to communicate any necessary state information to the server via another mechanism (e.g. a token in the URL).

 

Q8: Are there any limits to the HTML DOM document.cookie property?

A: In IE5, 6, and 7, if the cookie string is longer than 4096 bytes, the document.cookie property will return an empty string. For IE8, this limit was increased to 10Kb.

Also, due to an obscure bug in the underlying WinINET InternetGetCookie implementation, IE’s document.cookie will not return a cookie if it was set with a path attribute containing a filename. 

For instance, if a page sets a cookie on itself like so: 

Set-Cookie: HTTPSet-PathCookie=PASS;path=/check.htm 

…the cookie will be sent with HTTP requests but will not appear in the document.cookie collection.

 

Q9: Cross-Site Scripting attacks (XSS) can steal cookies. What can I do?

A: Determine if you need to expose your cookies to scripts running on your site.  If your cookies are only used by your server, and your scripts don’t require access to your cookies, use the HttpOnly attribute to help protect your site against cookie theft via cross-site scripting attacks. 

Simply add the HttpOnly attribute to each Set-Cookie header, and Internet Explorer will ensure that your cookie is not available to any script running in your pages. Cookies with the HttpOnly attribute are still sent in each HTTP request, but will not appear in the script-accessible document.cookies property. This means that if a hacker finds a cross-site scripting hole in your site, he cannot easily use the hole to steal logged-on visitors’ cookies.

The HttpOnly attribute is supported in all modern browsers (IE6+, FF3+, Safari 4, Chrome, Opera 9.5+).

 

Q10: How can applications or native code add-ons set cookies?

A: Applications should set cookies using the InternetSetCookieEx function, passing the appropriate flags to indicate if a cookie is being set from a 3rd party context, and any P3P directives available. The non-EX version of this function will unconditionally set a cookie (even if “Block all cookies” is set in IE’s settings) although such cookies will not be subsequently sent to servers while the “Block all cookies” setting is active.

Note: On Windows Vista and above, Internet Explorer runs Internet content in Protected Mode, a sandbox with an isolated cookie store. In order to set a cookie in the Protected Mode sandbox from an external application running at Medium integrity (aka outside of Internet Explorer), you must use the IESetProtectedModeCookie function. This API was added in IE8, and unfortunately, there is no straightforward alternative for IE7. This API has a number of limits, in particular, it cannot be called by processes running at High Integrity (Admin), and it does not have an option to provide the P3P policy string when setting the cookie.

IE10+ on Windows 8+ introduced Enhanced Protected Mode which uses AppContainers (rather than Integrity Levels) for isolation. EPM does not offer an API for interacting with cookies; IESetProtectedModeCookie will not set the cookie inside an AppContainer.

Q11: How can applications or native code add-ons retrieve cookies?

A: Use the InternetGetCookieEx function.

Note, by default, the cookies returned from this function will not include any HTTPOnly cookies. To retrieve HTTPOnly cookies, you must pass the INTERNET_COOKIE_HTTPONLY flag, available in IE8+. If you decide to pass this flag, you must ensure that your code will not expose the returned value to any script-controllable context. (Note: It appears that support for the INTERNET_COOKIE_HTTPONLY flag was added to IE7 in a cumulative update (KB960818)).

Note: On Windows Vista and above, Internet Explorer runs Internet content in Protected Mode, a sandbox with an isolated cookie store. In order to get a cookie from the Protected Mode sandbox from an external application running at Medium integrity (aka outside of Internet Explorer), you must use the IEGetProtectedModeCookie function. This API was added in IE8, and unfortunately, there is no straightforward alternative for IE7. This API has a number of limits, in particular, it cannot be called by processes running at High Integrity (Admin).

IE10+ on Windows 8+ introduced Enhanced Protected Mode which uses AppContainers (rather than Integrity Levels) for isolation. EPM does not offer an API for interacting with cookies; IEGetProtectedModeCookie will not get the cookie inside an AppContainer.

 

Q12: How can I log into my web application multiple times? How are cookies shared between IE windows?

A: Good question, and the answer has changed a bit in IE8. I wrote up a full post on the subject over on the IEBlog

 

Q13: How can I control (block, downgrade or allow) cookies?

A: See Internet Explorer Cookie Controls.

 

That’s it for now; thanks for reading!

  • If you guys know about the obscure bug that prevents cookies set on a full path that includes the filename from showing up in document.cookie, why don't you fix it???

    It seems to work in every other browser.

    Frustratingly yours,

    web developers.

  • i'm using IE8 and i can move where temporary files are stored but not cookies. Why is that? Is there a registry setting to change where they are stored? I'm trying to preserve my solid state drive by using a ramdrive....but still it is persistant on saving cookies on my SSD when I set cache to ramdisk!!!

  • An reason why IE9 can't implement max-age?

  • @Ken: I'm not sure it would make sense to implement only one part of an RFC. Can you elaborate on the scenario?

  • I'm having an issue with the domain part of my cookie in IE9.  Every time I create a cookie, IE9 creates two cookies with the same name.  One for the www version of my domain name and one for the non-www version of my domain name.

    The really crappy part is that they don't have the same value, so when I retrieve the cookie I don't always get the correct value.

    I thought if I specify the domain name when I create my cookie this would solve my problem.  Unfortunately, although it is setting the cookie for the domain I specify, I don't know how to ensure I only grab that specific cookie, so I am still getting the wrong value most of the time.

    Any ideas?

  • @Vincent: No, IE only creates two cookies when you tell it to. The most common problem is when your server is available both with and without the "www". So the user goes to http://example.com which sets a cookie named e.g. ASPSESSIONID and redirects the user to http://www.example.com which also sets a cookie of the same name. At that point, two ASPSESSIONID cookies are sent to the server. You could fix this by not setting the cookie in the redirector page, or by specifying the DOMAIN attribute of both cookies as domain=example.com

    If you really think something else is going on, please send me a repro URL or network capture from Fiddler. But since IE's code has worked the same way for nearly >12 years, we're pretty confident in how it works.

  • Thanks for the response Eric.  o.k. So I understand why this is happening, but I'm not sure of your proposed solution.

    I don't have a "redirector" page, unless I'm misunderstanding what you're meaning.  The server automatically prepends the www if I don't type it in.   I wouldn't really call that a re-direct as there is only one site, just two different ways to get there.  

    So when you say set the domain attribute of "both" cookies, that doesn't make sense to me.   My code only sets the cookie once, so how can I control "both" cookies.    Isn't the same code running twice, to create two cookies?  I did try setting the domain both with and without the www in my cookie but either way I still have the same probem.

    Obviously I'm a little bit confused still.

  • @Vincent: How do you think the server "automatically prepends the www"?  Watch with Fiddler, and I expect you'll see the server returning a HTTP/301 or HTTP/302 redirect to the version with the "www" in it.

    If you send me a URL or a network capture, I'm happy to have a look.

  • I am trying to retrieve IE cookie using InternetGetCookie function. Problem is that this function retrieves only first cookie. I want to retrive 2nd cookie set by that website. I tried using InternetGetCookie function twice but still only the first cookie is retrieved. What can be done to retrieve 2nd cookie?

    Thanks in advance

  • @Avinash: Your confusion about this API is understandable. A more accurate name for the function would be InternetGetCookieRequestHeaderValue(). When you pass null for the cookie name, the function returns ALL cookies destined for the target URL, in one string. If you don't see a value you expect to see, then be sure that you're passing in the correct URL, that you're using IEGetProtectedModeCookie if you're trying to get Low Integrity cookies, and that you're passing the INTERNET_COOKIE_HTTPONLY flag if your code is not scriptable and the target cookie had the httponly attribute set.

  • I got the cookie using InternetGetCookieEx function. But sometimes it returns the cookie value which have its expiry value set in past. I am using this function because InternetGetCookie() function does not return "HTTP_ONLY" marked cookies.

    So, I want to check the expiry date of the IE cookie which i get from InternetGetCookieEx().   Is there any way to do that?

    Thanks in advance.

  • @Avinash: Please email me. I don't see how that's possible.

  • sorry for posting it again. If possible delete last post, it is same thing again.

    Actually when a cookie's expiry date passes and IE is not running, then IE will delete it when it will run again. But during this time if my application tries to get the cookie using InternetGetCookieEx () function it gives me the cookie which is expired after IE was closed last time.

  • Hi,

    when request is send from IE8 browser I am able to see 2 cookies with the same name being send but with different values. I want to reverse the order of these.. I want the second cookie to be first the list.

    e.g  dupcookie="test"; dupcookie="test2" --> this is how it is send.

    I want to send it as   dupcookie="test2"; dupcookie="test"

    How can I achieve this?

  • @Ravi: You can't control the cookie order. The most common reason you end up two cookies with the same name is that they were set with different DOMAIN attributes (e.g. one on example.com and the other on www.example.com).

Page 4 of 5 (67 items) 12345
Leave a Comment
  • Please add 3 and 3 and type the answer here:
  • Post