Last Updated: February 25, 2016
·
1.503K
· sbrisko

IE, Hostnames with Underscores and Cookies

Internet Explorer, we deride it for all the things it does not do well, but in this case I hit an issue where IE was doing the right thing but it still was not very helpful.

IE may be the only browser that checks for the validity of a hostname before allowing cookies to be saved in the browser. The IETF spec has a listing of characters that are now allowed in hostnames (http://www.ietf.org/rfc/rfc2396.txt) with the underscore '' being one of them. If your hostname happens to have an underscore in the name (e.g. fortapache), IE will not write cookies locally to your machine, but also will not give you any indication that the hostname is not valid.

I learned this from getting a ticket stating that all non-GET operations for a web app were erring, and looking at the logs from Rails, I could see that the request was failing the CSRF authentication check (http://guides.rubyonrails.org/security.html). The authentication check contain two keys that are compared to each other. One key is embedded in a JavaScript tag within the page and the second key is written to a session cookie. When a new non-GET request is made to the server, both values are compared and if they match the request is authorized, but in this case, since the session cookie was never being written, the request would never authorize.