IE10 User-Agent causes ASP.Net to not send back Set-Cookie (IE10 not setting cookies)

asp.net internet-explorer
isNaN1247 picture isNaN1247 · Aug 8, 2011 · Viewed 48k times · Source

Summary

ASP.Net does not send back a Set-Cookie header when using IE 10. Meaning that for example you cannot login to an ASP.Net site using IE10 when using Forms Authentication for example.

Detail

We're currently testing one of our legacy web apps against IE 10 [Preview 2].

When attempting to login using Forms Authentication, we don't get a Set-Cookie header in the response if the user-agent is that of IE 10. We've tried this with a blank .Net 2 and .Net 4 site.

Because we couldn't/wouldn't believe it, we even ran the follow HTTP request manually through telnet - after using all usual tools - and got the same response.

GET http://test.ourdomain.co.uk/ HTTP/1.1
Accept: */*
Host: test.ourdomain.co.uk
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)
Content-Length: 0

The above HTTP request returns no Set-Cookie in the response. Yet if we simply change the User-Agent to Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/6.0) it works!

Can anyone else replicate this? I can't find any known issue with IE10 cookies other than an issue that effects non-standard URL patterns.

Hotfix

After devio posted the original answer, with a workaround, nullptr has confirm that there is now a hotfix for this.

http://support.microsoft.com/kb/2600088

I've promoted the hotfix to the main question as it's just handier for future reference, but please do up-vote the users mentioned.

Answer

Dave Sumter picture Dave Sumter · Mar 19, 2013

The problem rests with some IIS instances thinking that IE10 is a cookieless browser (i.e. cant support cookies). In our problem case the server was setting the authentication cookie and sending it back to the browser, but was then ignoring the cookie on subsequent requests.

The solution is to either patch the browser capabilities so that it knows IE10 can do cookies (outlined in another answer on this page), or change the default behaviour to force it to use cookies even if it thinks the browser can’t do cookies.

We just added the following to our forms section in web.config:

cookieless="UseCookies"

<authentication mode="Forms">
  <forms name=".AUTH" cookieless="UseCookies" loginUrl="/" timeout="10000" path="/" />
</authentication>

Related questions

How to enable Auto Logon User Authentication for Google Chrome

I have a site I go to that allows me to auto log in with my creditentials (windows) and using Internet Explorer I can just set the option under "User Authentication" to "Automatic logon with current user name and password", …

Read More
How to forcefully set IE's Compatibility Mode off from the server-side?

In a domain-controlled environment I'm finding that the compatibility mode is triggered on certain clients (winXP/Win7, IE8/IE9) even when we are providing a X-UA tags, a !DOCTYPE definition and "IE=Edge" response headers. These clients have the "display …

Read More
Stop Visual Studio from launching a new browser window when starting debug?

I already have a window open with the web site I'm debugging. I don't need VS to launch another one for me every time I need to debug. Is there a way to stop this behavior?

Read More