http://blogs.msdn.com/b/ieinternals/archive/2011/03/10/internet-explorer-beware-cookie-sharing-in-cross-zone-scenarios.aspxNote: I mentioned this problem before ( Troubleshooting Login Cookies #3 ) but it was buried in a long post and this is an issue that lots of folks inside Microsoft hit, so I&rsquo;m pulling it out into its own post. The Problem From time to timeen-USTelligent Evolution Platform Developer Build (Build: 5.6.50428.7875)http://blogs.msdn.com/b/ieinternals/archive/2011/03/10/internet-explorer-beware-cookie-sharing-in-cross-zone-scenarios.aspx#10303391Wed, 09 May 2012 18:52:53 GMT91d46819-8472-40ad-a661-2c78acb4018c:10303391Brian J. Sayatovic<p>I think I encountered an even stranger case of this. &nbsp;I have a Silverlight application that runs in the browser. &nbsp;The HTML page hosting the &lt;object/&gt; tag, and the XAP file it points to, is all delivered via <a rel="nofollow" target="_new" href="http://launch.mydomain.com">http://launch.mydomain.com</a>. &nbsp;Once launched, the Silverlight application uses WCF to <a rel="nofollow" target="_new" href="httpS://service.mydomain.com">httpS://service.mydomain.com</a> except for displaying PDF documents which is does by popping a window open to <a rel="nofollow" target="_new" href="httpS://service.mydomain.com">httpS://service.mydomain.com</a> with a GET request. &nbsp;Now the cookie in question is delivered in the HTTP response header to one of the WCF calls to <a rel="nofollow" target="_new" href="httpS://service.mydomain.com">httpS://service.mydomain.com</a>. &nbsp;Depending on whether the page that delivered hosted the &lt;object/&gt; tag in the first place is in the same security zone affects the delivery of the cookie. &nbsp;On the one hand, I get it. &nbsp;But on the other hand, the cookie was both delivered and attempting to be re-sent to one zone -- the zone of <a rel="nofollow" target="_new" href="httpS://service.mydomain.com">httpS://service.mydomain.com</a>. &nbsp;But, in IE9 at least, the zone of the page hosting the Silverlight control still impacted the function.</p> <div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10303391" width="1" height="1">http://blogs.msdn.com/b/ieinternals/archive/2011/03/10/internet-explorer-beware-cookie-sharing-in-cross-zone-scenarios.aspx#10277936Mon, 05 Mar 2012 20:42:58 GMT91d46819-8472-40ad-a661-2c78acb4018c:10277936Vinod<p>Will wininet use the cookie in the request when i have a Referrer set in a different domain that is loading in Internet zone?</p> <p>Sample request:</p> <p> - Http: Request, GET http://intranetsite</p> <p> &nbsp; &nbsp;Command: GET</p> <p> &nbsp;+ URI: http://intranetsite</p> <p> &nbsp; &nbsp;Accept: &nbsp;*/*</p> <p> &nbsp; &nbsp;Referer: &nbsp;<a rel="nofollow" target="_new" href="http://internet.site.com">http://internet.site.com</a></p> <p> &nbsp; &nbsp;Cookie: &nbsp;cookieset </p> <p>Does Referrer really matter to set a cookie?</p> <p>From my analysis, i see the cookie is used when either protected mode is turned on/off in both the zones. </p> <p>Thanks in advance</p> <div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10277936" width="1" height="1">http://blogs.msdn.com/b/ieinternals/archive/2011/03/10/internet-explorer-beware-cookie-sharing-in-cross-zone-scenarios.aspx#10216455Mon, 26 Sep 2011 04:24:14 GMT91d46819-8472-40ad-a661-2c78acb4018c:10216455Aaron Margosis<p>Re this statement: &nbsp;&quot;users may view all of their Zone assignments by clicking Tools &gt; Internet Options &gt; Security &gt; Trusted &gt; Sites….&quot; &nbsp; It becomes more complicated if there are group policies dictating that only machine settings are used, and/or group policy dictates one or more site-to-zone-assignment lists. &nbsp;See</p> <p><a rel="nofollow" target="_new" href="http://blogs.technet.com/b/fdcc/archive/2011/09/22/internet-explorer-s-explicit-security-zone-mappings.aspx">blogs.technet.com/.../internet-explorer-s-explicit-security-zone-mappings.aspx</a></p> <p>and</p> <p><a rel="nofollow" target="_new" href="http://blogs.technet.com/b/fdcc/archive/2011/09/22/iezoneanalyzer-v3-5-with-zone-map-viewer.aspx">blogs.technet.com/.../iezoneanalyzer-v3-5-with-zone-map-viewer.aspx</a></p> <div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10216455" width="1" height="1">http://blogs.msdn.com/b/ieinternals/archive/2011/03/10/internet-explorer-beware-cookie-sharing-in-cross-zone-scenarios.aspx#10188938Fri, 22 Jul 2011 13:44:34 GMT91d46819-8472-40ad-a661-2c78acb4018c:10188938EricLaw [MSFT]<p>@Anshu: If the pages are in the same zone (as described in this article), then&nbsp;yes, the insecure cookie will be sent to the secure subdomain by IE only. See Q3 at <a href="http://blogs.msdn.com/b/ieinternals/archive/2009/08/20/wininet-ie-cookie-internals-faq.aspx" rel="nofollow" target="_new">blogs.msdn.com/.../wininet-ie-cookie-internals-faq.aspx</a></p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10188938" width="1" height="1">http://blogs.msdn.com/b/ieinternals/archive/2011/03/10/internet-explorer-beware-cookie-sharing-in-cross-zone-scenarios.aspx#10188868Fri, 22 Jul 2011 09:07:38 GMT91d46819-8472-40ad-a661-2c78acb4018c:10188868Anshu<p>I want to know if we redirect from HTTP to HTTPS, should IE send the session cookie with HTTPS request?</p> <p>Host: mpcb.mu (for HTTP)<br />Host: secured.mpcb.mu (for HTTPS)</p> <p>Here are the cookie attributes set from the server:</p> <p>Set-cookie: JSESSIONID=4E8CEB2926EFD; Path=/ ; HttpOnly</p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10188868" width="1" height="1">