I have some interesting problem that completely surpassed me.
I have a production code that I built that reads a piece of the IBM LTPA token file installed by a machine managed by another department, checks it and uses it to log in to the system that my group manages (by setting some special cookies). This process is single The login is completely transparent to the end user and has been working in all browsers for several years.
I recently noticed that it does not work properly on my development machine with IE8. I recently upgraded from Vista to Windows 7. I'm not sure if this did not work on my machine before or after the upgrade, as this is what worked for so long and I have no reason to regularly test it. FireFox 3.5 and Chrome 4 dev on the same machine work as expected. IE6 on XP SP3 virtual machine works fine on this computer. IE8 works fine on multiple machines at home (for both Windows Server 2008 and Windows 7).
For diagnostic purposes, I deleted all cached data from my IE IE IE (WinInet cache) to start from scratch. I launched Fiddler to track this process and determine what is not working. What I found was quite interesting, and I can’t explain it.
After entering the intial site - call ltpa.domain.com, the session cookie is reset from the server, as expected, with the Set-Cookie header. I verify that the domain is correctly set to .domain.com and that the path is /. All subsequent requests from the browser after logging in, push all cookies to the server with each request, as expected. This is actually a portal, and there is some additional content that portal.domain.com says is also retrieved; all cookies are sent to this server correctly.
Now for the interesting bit - when I make a request to myserver.domain.com - the domain-level cookie set by ltpa.domain.com does not push to myserver.domain.com, although they should be. . The single sign-on process is automatically redirected back to ltpa.domain.com if there are no cookies (and clicks the cookie on the client that the ltpa login process uses to redirect) - the cookie domain level set by myserver does not return to ltpa.domain.com .
Again, this only happens in this single instance of IE8 on my dev machine that I know of. This process is used thousands of times a day with a fairly large user base, and we have not received any other complaints from end users, so there is no indication that this is a system problem with IE8 or something like that.
It seems to me that I consider myserver.domain.com and ltpa.domain.com as separate domains, even if it is not.
There are two points of interest that could be mentioned, but can be red herring, as this has always been the case and never caused a problem.
DNS is a bit funky here. LTPA.domain.com allows an external IP address. However, myserver.domain.com allows an internal IP address. Performing a reverse lookup on this IP server gives the name of the internal DNS name - say, myserver.internal.domain.com. I assumed that IE8 does some kind of reverse lookup to prevent DNS-based attacks, so I changed my HOSTS file and pointed myserver.domain.com to an external IP for testing. I confirmed in Fiddler that requests go to an external IP address, but it has nothing to do with cookies. They still haven't passed.
Previously, myserver.domain.com was located under "Trusted Sites" in the WinInet IE Security Configuration Pages. I deleted it and another site that was there. Call this car, my2.domain.com; this machine coincidentally (or maybe not?) does not transmit the domain cookie set by ltpa.domain.com. In this case, I do not need cookies, but I still tested them to see if this problem affects other machines. The IE status bar displays the ltpa.domain.com, portal.domain.com, and myserver.domain.com objects in the Internet zone. What is strange that my2.domain.com still shows "Trusted sites" in the status bar, although it is not listed in the dialog box? Yes, I rebooted after making the changes.
Other notes.
I am aware of other issues with IE and non.com domains indicated by cookie values and other cookie anomalies mentioned here in stackoverflow and elsewhere in Interwebs. None of them apply. I read Eric Law IEInternals article on internal cookies - http://blogs.msdn.com/ieinternals/archive/2009/08/20/WinINET-IE-Cookie-Internals-FAQ.aspx
There are no built-in add-ons in IE. Just Flash, Silverlight, Live ID login assistant and Fiddler2.
There are no InPrivate rules for filtering content specific to my domain.
Since I'm on a laptop, I tried IE8 from my home network (after rebooting) to eliminate DNS issues. As far as I can tell, I experience the same behavior at home, so funky DNS is not a problem.
I plowed all the IE settings several times, thinking that I might have missed the obscure cookie settings. Privacy settings are located on Medium, and there are no sites with special processing.
Using dev tools, I made sure that "Always Refresh From Server" is not installed.
I don’t think this is all I can tell Microsoft, as I cannot reproduce the problem anywhere else.
So, at this moment I am at a loss. It was not possible to turn on some diagnostic mode in IE8, which I don’t know about, or to have code for debugging it ... I ran out of good ideas.
I think that either I encountered an error, some registry setting or similar was changed, or something became corrupt somewhere.
Any ideas?