Forum Discussion
Joel_Moses
Apr 15, 2011Nimbostratus
According to RFC-2109, the leading period before the domain name field in an HTTP cookie is required:
Domain=domain
Optional. The Domain attribute specifies the domain for which the
cookie is valid. An explicitly specified domain must always start
with a dot.
Lots of browsers will accept cookie domains without leading dots, but it's non-standard.
Now then, on to your other issue. The domain .domain.com on a cookie will match host "domain.com" and "sub.domain.com" as well. Firefox will take a cookie without a leading period set and declare it an "exact match" (this is actually called "Netscape cookie compatibility"), which is why this isn't broken on Firefox but is under IE. The trouble here is that Microsoft is reading the standard one way and the Mozilla folks another -- and that's not likely to change.
You're going to have to use a different persistence cookie name on each site. That's the most "compatible" way to handle this.