Use dashes not underscores in your domain name
September 24, 2010
I recently ran into an issue where users hitting my development server with Internet Explorer kept getting redirected back to my login page no matter how many times they signed in. Everything worked fine for all other browsers I tested and it even worked fine on Internet Explorer when pointing at http://localhost.
After much investigating it turns out the problem lies in the name of my development server. I picked a name like http://myapp_dev.alexrothenberg.com and it was the underscore in myapp_dev that caused the problem. It turns out that IE will not set a session cookie for a domain with a hostname that contains an underscore.
According to microsoft this is not a bug but a feature
OK, so it looks like IE will let me go to the page but doesn't set the session cookie so my site sees each request as part of a new session by an unauthenticated user and redirects to the login page over and over.
I did a little more research and according to Wikipedia Microsoft is right and underscores are not allowed in hostnames
I'm not sure why IE allows the browsing but not the cookie as that turned this into a subtle bug that was especially hard to track down since Firefox, Safari and Chrome all set the cookie so my site works. From now on I'll have to remember not to use underscores but to use dashes instead like http://myapp-dev.alexrothenberg.com which should work across all browsers.
After much investigating it turns out the problem lies in the name of my development server. I picked a name like http://myapp_dev.alexrothenberg.com and it was the underscore in myapp_dev that caused the problem. It turns out that IE will not set a session cookie for a domain with a hostname that contains an underscore.
According to microsoft this is not a bug but a feature
Q5: IE won’t set a cookie when the hostname/domain contains an underscore?
A: Correct. Technically, underscore is not a DNS character, and while Windows will let you use an underscore when naming your machine, it warns you that doing so may cause problems. One such problem is that WinINET blocks attempts to set cookies on such domains.
OK, so it looks like IE will let me go to the page but doesn't set the session cookie so my site sees each request as part of a new session by an unauthenticated user and redirects to the login page over and over.
I did a little more research and according to Wikipedia Microsoft is right and underscores are not allowed in hostnames
The Internet standards (Request for Comments) for protocols mandate that component hostname labels may contain only the ASCII letters 'a' through 'z' (in a case-insensitive manner), the digits '0' through '9', and the hyphen ('-') ...
While a hostname may not contain other characters, such as the underscore character (_), other DNS names may contain the underscore.
I'm not sure why IE allows the browsing but not the cookie as that turned this into a subtle bug that was especially hard to track down since Firefox, Safari and Chrome all set the cookie so my site works. From now on I'll have to remember not to use underscores but to use dashes instead like http://myapp-dev.alexrothenberg.com which should work across all browsers.