Summary
ASP.Net does not send back a Set-Cookie
header when using IE 10. Meaning that for example you cannot login to an ASP.Net site using IE10 when using Forms Authentication for example.
Detail
We're currently testing one of our legacy web apps against IE 10 [Preview 2].
When attempting to login using Forms Authentication, we don't get a Set-Cookie
header in the response if the user-agent is that of IE 10. We've tried this with a blank .Net 2 and .Net 4 site.
Because we couldn't/wouldn't believe it, we even ran the follow HTTP request manually through telnet
- after using all usual tools - and got the same response.
GET http://test.ourdomain.co.uk/ HTTP/1.1
Accept: */*
Host: test.ourdomain.co.uk
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)
Content-Length: 0
The above HTTP request returns no Set-Cookie
in the response. Yet if we simply change the User-Agent to Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/6.0)
it works!
Can anyone else replicate this? I can't find any known issue with IE10 cookies other than an issue that effects non-standard URL patterns.
Hotfix
After devio posted the original answer, with a workaround, nullptr has confirm that there is now a hotfix for this.
http://support.microsoft.com/kb/2600088
I've promoted the hotfix to the main question as it's just handier for future reference, but please do up-vote the users mentioned.
The problem rests with some IIS instances thinking that IE10 is a cookieless browser (i.e. cant support cookies). In our problem case the server was setting the authentication cookie and sending it back to the browser, but was then ignoring the cookie on subsequent requests.
The solution is to either patch the browser capabilities so that it knows IE10 can do cookies (outlined in another answer on this page), or change the default behaviour to force it to use cookies even if it thinks the browser can’t do cookies.
We just added the following to our forms section in web.config:
cookieless="UseCookies"
<authentication mode="Forms">
<forms name=".AUTH" cookieless="UseCookies" loginUrl="/" timeout="10000" path="/" />
</authentication>