Internet Explorer Cookie Internals (FAQ)

Over the five years I’ve worked on Internet Explorer, I’ve probably seen more questions from the community about HTTP cookies than on any other topic. Cookies are an integral component of most websites in use today, and hence problems or unexpected behaviors with cookies tend to get a lot of attention.

In this post, I’ll try to summarize the most common questions and answers I’ve seen related to Internet Explorer’s implementation of cookies. I may add to this FAQ over time.

 

Q1: IE’s cookie code doesn’t seem to support <something> as defined in RFC2109 or RFC2965.

A: Correct. Internet Explorer (including IE8) does not attempt to support any RFC for cookies.

WinINET (the network stack below IE) has cookie implementation based on the pre-RFC Netscape draft spec for cookies. This means that directives like max-age, versioned cookies, etc, are not supported in any version of Internet Explorer.

 

Q2: If I don’t specify a leading dot when setting the DOMAIN attribute, IE doesn’t care?

A: Correct. All current version browsers (Chrome, FF, Opera, etc) seem to treat a leading dot as implicit. Here’s a test case.

 

Q3: If I don’t specify a DOMAIN attribute when a cookie, IE sends it to all nested subdomains anyway?

A: Yes, a cookie set on example.com will be sent to sub2.sub1.example.com.

Internet Explorer differs from other browsers in this regard. Here’s a test case.

Update: This behavior bug was removed from Edge by Windows 10 RS3, but remained in IE11 on Windows 10. By Windows 10 RS4 (April 2018), both Edge and Internet Explorer match other browsers.

 

Q4: How many cookies will Internet Explorer maintain for each site?

A: As of August 2007, the per-host limit was increased from 20 to 50. The August update applied to IE5, 6, and 7. IE8 natively can support 50 cookies per host, and Firefox uses the same limit.

It’s worth mentioning that increased cookie limit actually broke the website of a major financial institution. The site depended on cookies beyond the 20 cookie limit getting dropped, and stopped working properly when the limit was increased. This is just one example of how tightly-coupled today’s web is to IE’s cookie implementation. That, in turn, is one reason why the IE team must exercise great care when making any change to IE’s cookie implementation.

The document.cookie property is limited to 10KB.

WinINET will not respect a Set-Cookie response header value longer than 5118 bytes. WinINET allows 50 cookies, each of which is ~5kb long.  Hence a request could carry 250kb of cookies.  (eek!)

 

Q5: IE won’t set a cookie when the hostname/domain contains an underscore?

A: Correct. Technically, an underscore (like this _ ) is not a DNS character, and while Windows will let you use an underscore when naming your machine, it warns you that doing so may cause problems. One such problem is that WinINET blocks attempts to set cookies on such domains. See https://support.microsoft.com/kb/316112/en-us

 

Q6: IE won’t set a cookie for certain domains, like those of the format https://xx.yy?

A: Correct. The idea is that you may not set a cookie on a "top-level" domain shared by unrelated organizations. Historically, ccTLDs of the format xx.yy were effective TLDs, so cookies may not be set on them. While this heuristic was never perfect, it's been unchanged for over 15 years and hence is not likely to change any time soon. The intricacy of this issue merits a long blog post all its own-- see this post.

 

Q7: My site is not receiving cookies when it is running in an IFRAME and the parent page is from a different domain. Why?

A: Internet Explorer has restrictions on “3rd party” cookies. 3rd party cookies are cookies which are set or sent for resources from a different domain than the top-level browsing context. You can easily confirm P3P/Cookie restrictions as the root cause of such issues by temporarily changing IE’s Tools / Options / Privacy setting to “Accept All Cookies”.

In order to allow such cookies to be sent reliably, you should send a P3P header when setting the cookie.

You can use Fiddler’s “Privacy Inspector” to view and analyze any P3P Policy. To learn more about P3P and IE, see my quick P3P guide.

 

Q7b: My page doesn't receive or set cookies when it is running in an IFRAME with the SECURITY=RESTRICTED attribute. Why?

A: The SECURITY=RESTRICTED attribute on IFRAMEs indicates that the browser should treat the content as if it came from the Restricted Sites zone. Content in this zone cannot set or read cookies. Cookies will not be sent to the server, and cookies will not be set if received from the server. To resolve this problem, you will need to communicate any necessary state information to the server via another mechanism (e.g. a token in the URL).

 

Q8: Are there any limits to the HTML DOM document.cookie property?

A: In IE5, 6, and 7, if the cookie string is longer than 4096 bytes, the document.cookie property will return an empty string. For IE8, this limit was increased to 10Kb.

Also, due to an obscure bug in the underlying WinINET InternetGetCookie implementation, IE’s document.cookie will not return a cookie if it was set with a path attribute containing a filename.

For instance, if a page sets a cookie on itself like so:

Set-Cookie: HTTPSet-PathCookie=PASS;path=/check.htm 

…the cookie will be sent with HTTP requests but will not appear in the document.cookie collection.

 

Q9: Cross-Site Scripting attacks (XSS) can steal cookies. What can I do?

A: Determine if you need to expose your cookies to scripts running on your site.  If your cookies are only used by your server, and your scripts don’t require access to your cookies, use the HttpOnly attribute to help protect your site against cookie theft via cross-site scripting attacks.

Simply add the HttpOnly attribute to each Set-Cookie header, and Internet Explorer will ensure that your cookie is not available to any script running in your pages. Cookies with the HttpOnly attribute are still sent in each HTTP request, but will not appear in the script-accessible document.cookies property. This means that if a hacker finds a cross-site scripting hole in your site, he cannot easily use the hole to steal logged-on visitors’ cookies.

The HttpOnly attribute is supported in all modern browsers (IE6+, FF3+, Safari 4, Chrome, Opera 9.5+).

 

Q10: How can applications or native code add-ons set cookies?

A: Applications should set cookies using the InternetSetCookieEx function, passing the appropriate flags to indicate if a cookie is being set from a 3rd party context, and any P3P directives available. The non-EX version of this function will unconditionally set a cookie (even if “Block all cookies” is set in IE’s settings) although such cookies will not be subsequently sent to servers while the “Block all cookies” setting is active.

Note: On Windows Vista and above, Internet Explorer runs Internet content in Protected Mode, a sandbox with an isolated cookie store. In order to set a cookie in the Protected Mode sandbox from an external application running at Medium integrity (aka outside of Internet Explorer), you must use the IESetProtectedModeCookie function. This API was added in IE8, and unfortunately, there is no straightforward alternative for IE7. This API has a number of limits, in particular, it cannot be called by processes running at High Integrity (Admin), and it does not have an option to provide the P3P policy string when setting the cookie.

IE10+ on Windows 8+ introduced Enhanced Protected Mode which uses AppContainers (rather than Integrity Levels) for isolation. EPM does not offer an API for interacting with cookies; IESetProtectedModeCookie will not set the cookie inside an AppContainer.

Q11: How can applications or native code add-ons retrieve cookies?

A: Use the InternetGetCookieEx function.

Note, by default, the cookies returned from this function will not include any HTTPOnly cookies. To retrieve HTTPOnly cookies, you must pass the INTERNET_COOKIE_HTTPONLY flag, available in IE8+. If you decide to pass this flag, you must ensure that your code will not expose the returned value to any script-controllable context. (Note: It appears that support for the INTERNET_COOKIE_HTTPONLY flag was added to IE7 in a cumulative update (KB960818)).

Note: On Windows Vista and above, Internet Explorer runs Internet content in Protected Mode, a sandbox with an isolated cookie store. In order to get a cookie from the Protected Mode sandbox from an external application running at Medium integrity (aka outside of Internet Explorer), you must use the IEGetProtectedModeCookie function. This API was added in IE8, and unfortunately, there is no straightforward alternative for IE7. This API has a number of limits, in particular, it cannot be called by processes running at High Integrity (Admin).

IE10+ on Windows 8+ introduced Enhanced Protected Mode which uses AppContainers (rather than Integrity Levels) for isolation. EPM does not offer an API for interacting with cookies; IEGetProtectedModeCookie will not get the cookie inside an AppContainer.

 

Q12: How can I log into my web application multiple times? How are cookies shared between IE windows?

A: Good question, and the answer has changed a bit in IE8. I wrote up a full post on the subject over on the IEBlog.

 

Q13: How can I control (block, downgrade or allow) cookies?

A: See Internet Explorer Cookie Controls.

 

That’s it for now; thanks for reading!

Comments

• Anonymous
  September 15, 2009
  The comment has been removed

• Anonymous
  September 15, 2009
  @Dan: I'm not sure exactly what you're suggesting. Starting over would solve nothing at all-- no websites would magically start to work. Generally speaking, no compatibility problems would magically disappear, although we could trade some compat problems for other compat problems.

• Anonymous
  October 25, 2009
  I am using sessions in my application.(Its a asp.net application).If I am blocking all the cookies it does not allow me to proceed from login page in IE8.But in IE6 it allows me to proceed further. How session cookies are exactly affected if I am blocking all cookies in IE6 and IE8.

• Anonymous
  October 26, 2009
  Sheetal: If you're actually blocking all cookies, then you're blocking session cookies too. But without more repro-steps, it's really impossible to say what you're seeing.

• Anonymous
  November 05, 2009
  Hello, I'm trying to set cookies for my website. I add a Set-Cookie: attribute to my HTTP header with expiration, domain, and path attributes set. Everything works fine in Firefox. Internet Explorer does not seem to accept any of my cookies. This happens even when I put privacy settings to the minimum or turn everything off. What could be the cause of this? (testing on IE8) -Chris

• Anonymous
  November 05, 2009
  Chris, you'll need to either provide a public URL, or a traffic capture (www.fiddler2.com) to debug this.

• Anonymous
  November 09, 2009
  Eric, Thanks a lot for the response. I am working with fiddler now and it is a big help. I wish I had known about it a while ago. Before downloading fiddler, however, I did some trial and error with my headers to see if there was something wrong with my syntax. I found that when the 'expires' argument in a 'Set-Cookie:' header is removed, the cookie is actually stored. I have tried poking around to see what I need to do to make it work for IE but have not found anything. Thanks again, Chris

• Anonymous
  November 09, 2009
  @Chris: What specifically was your Expires element's value? If it was in the past, then the cookie will be deleted. If it was malformed (e.g. using a non-GMT timezone) the cookie should be downgraded to a session cookie.

• Anonymous
  November 09, 2009
  Hello, Thanks for the feedback. I was being careless and assumed my timezone was EDT. One off from EST. So my dates were mixed up. I feel stupid admitting such a careless bug. I'd like to thank you for your responses. -Chris

• Anonymous
  November 15, 2009
  I have an application that allows users to customize the app by entering info on the web page my app is downloaded from. The page stores the info in a cookie on the users machine. Pre Vista I used InternetGetCookie to read the cookie then deleted the cookie by setting a past expire date using InternetSetCookie. This prevented the cookie from being read each time the app starts and potentially reseting changes a user may make. With the advent of protected mode I am using IEGetProtectedModeCookie and am trying to use IESetProtectedModeCookie to expire the cookie. It appears the set function is creating another cookie (with the expire date) rather than updating the current cookie. Is that normal and if so is there a way to expire an existing cookie?

• Anonymous
  November 15, 2009
  @John: Is the cookie that you're trying to expire a session cookie or a persistent cookie? If you have a simple demo app, I'm happy to take a look. Use the Email link at the top-right of this page to contact me.  Thanks!

• Anonymous
  November 17, 2009
  Here is some odd IE8 behavior that threw me for a loop today. My site X is using an iframe to make a transaction using site Y. (See http://dev.braintreepaymentsolutions.com/payment-processing/transparent-redirect/ for an example of why one would do this.) Site X uses cookie-based sessions. The page on X has a form that posts to Y. Y responds by redirecting to another page on X that interprets the result, puts a message in the cookie, and redirects back to the first page on X. In trace form: GET //x/form -> 200, Set-Cookie C1 POST //y/process_form -> 302 to //x/result GET //x/result -> 302 to //x/form, Set-Cookie C2 GET //x/form -> 200 The problem is that although X is setting its own cookie to C2, IE is ignoring it and sending cookie C1 in the last GET. My theory is that because the //x/result GET is a redirect from host Y, IE is treating the cookies from that response as if they came from host Y. Since host Y has no P3P header, cookie C2 is thrown away. Setting a P3P header on host X's response when setting the C2 cookie solves the problem. I am wondering if this is expected behavior. Should first-party cookies be rejected because they came from a redirect?

• Anonymous
  December 06, 2009
  Hi, I am using "InternetSetCookieW " call to create cookie from my application. On Vista + IE7: This creates cookie in location c:windowstemp. As per IE7 settings, it is reading cookie from location "C:UsersdiptiAppDataLocalMicrosoftWindowsTemporary Internet Files" I am suspecting some setting is causing this. Can you help me to understand why InternetSetCookieW  writing cookie at different location than the location set for IE? Thank you, Dipti

• Anonymous
  December 06, 2009
  @dipti: Regardless of where the file lives, do you see the cookie get sent? @walter: I'd love to see a network capture (www.fiddlercap.com) of your scenario. You can mail it to me using the Help > Send Feedback link in FiddlerCap/Fiddler.

• Anonymous
  December 07, 2009
  The comment has been removed

• Anonymous
  December 22, 2009
  Hi, why i can not use document.cookie to get the cookies that set by Asp.Net FormsAuthentication, but can set and get the cookie set in client side by javascript? all the cookies are transfered in network traffic(can be viewed by Fiddler)

• Anonymous
  December 23, 2009
  @Jethro: I'd imagine that ASP.NET Forms Authentication cookies are set with the httpOnly attribute which forbids interacting with those cookies using JavaScript. http://msdn.microsoft.com/en-us/library/system.web.httpcookie.httponly.aspx

• Anonymous
  March 21, 2010
  InternetSetCookie function, unconditionally sets a cookie (even if “Block all cookies” is set in IE’s settings). I want to allow such cookie to be subsequently sent to the server( while the “Block all cookies” setting is active). Please suggest a way to achieve this. Thanks -Ravi

• Anonymous
  March 23, 2010
  @Ravi: You'll have to provide more details. IE will not send cookies to Internet-zone servers when "Block all cookies" is set for the privacy settings.

• Anonymous
  March 28, 2010
  Hi i wanna delete a cookie by setting a past expire date using InternetSetCookie. [broken code removed]  thanks.

• Anonymous
  March 29, 2010
  @bob: Your code sample is corrupted by the blog software. Send me email directly (ericlaw at microsoft)

• Anonymous
  March 29, 2010
  Regarding Q7, setting cookies from difference domain inside iframe. P3P is often a solution - or Thu I am not really sure if it is always enough. I wonder regarding Q7:

1. Does it make any difference if its a session cookie, or a permanent cookie ?
2. Does it make any difference if the different domain is just a subdoamin, or really a different domain ?
3. (this is kind of tricky) - does it make any difference for the IE privacy check, what ip adress the domain is hosted on, or does IE only react on the domain name itself ? Best regards and thanks if someone has something to add - I will try to check out on these three questions on my own, and return here later on.

• Anonymous
  March 29, 2010
  @Anders: P3P is the setting that controls. 1> P3P changes behavior depending on whether it's a session cookie or a permanent cookie. Sometimes permanent cookies are "downgraded" to session cookies. 2> "subdomains" may be treated as "different" domains when it comes to P3P; I haven't looked at this recently and need to recheck. 3> No, IE doesn't care about the IP address for this, or any other privacy/security check based on hostname.

• Anonymous
  March 30, 2010
  Thanks. Re 2> It seems to me, in general, that cookies in iframes is much more accepted when the iframe is a subdomain hostname.

• Anonymous
  March 30, 2010
  I am using WinInet APIS for http req/response in my c++ application. and I want to send cookie (regrdless of IE’s settings). I tried INTERNET_OPTION_SUPPRESS_BEHAVIOR value = INTERNET_SUPPRESS_COOKIE_POLICY but that didn't work. I want to know whether it is possible to send the cookie (progrmatically nat using IE) even if user has set IE to block all the cookies. If yes then please suggest how? Any help/pointer would be very helpful Thanks, -Ravi

• Anonymous
  April 20, 2010
  Hi Eric in webbrowser control, when a webpage change the cookie by JS(document.cookie="..."). how can i get the notify? because i would like to get the cookie value.

• Anonymous
  April 21, 2010
  @Mike: There's no reliable/non-hacky way to do that. The hacky ways would be to do something like inject a script function into every page that wraps the document.cookie object and notifies your application that the method is being called. Or you could implement IInternetSecurityManager and watch for tests of the cookie-related URLActions, but you would only be able to use this to know when something might have changed; you'd need to call InternetGetCookie to get the cookie and manually look for any changes.

• Anonymous
  June 07, 2010
  What can cause IE7, for example, to create a numerically incremented version of a cookie file? For example, if this cookie exists:     allan@www.example[1].txt then what might cause this file to get created:     allan@www.example[2].txt ? Thanks. -Allan

• Anonymous
  June 08, 2010
  @Allan: The name of the text file on disk is an internal implementation detail upon which a dependency should not be taken. Generally speaking, WinINET's file creation logic will append increasing numbers [n] after filenames in order to ensure uniqueness. The use of a [2] suggests that a file named [1] existed at some point in time when a new file needed to be created.

• Anonymous
  October 15, 2010
  <quote> Q3: If I don’t specify a DOMAIN attribute when a cookie, IE sends it to all nested subdomains anyway? A: Yes, a cookie set on example.com will be sent to sub2.sub1.example.com.  Internet Explorer differs from other browsers in this regard. <UNQUOTE> I am experiencing a problem with this: I reload my page multiple times, using session_start() every time it loads.  JavaScript sets cookies that I use in php.  When using Internet Explorer, $_ENV["HTTP_COOKIE"] contains multiple entries for each cookie.  This does not happen with Firefox. As you pointed out, when executing code at a domain named x.y.z, Internet Explorer sends the cookies for x.y.z and the cookies for y.z.  PHP then puts both sets of cookies into $_ENV["HTTP_COOKIE"].  Now what shall I do with multiple cookies sharing the same name?  Can I reliably assume that the first one is for x.y.z?  Does $_COOKIE["cookiename"] always contain the first cookie named cookiename?  Can I rely on that?          ... Warren Gaebel, B.A., B.C.S.

• Anonymous
  October 15, 2010
  >Can I reliably assume that the first one is for x.y.z? No. > Does $_COOKIE["cookiename"] always contain the first cookie named cookiename? Sorry, you'd have to ask a PHP expert for the answer to that. I would assume so, but I don't use PHP.

• Anonymous
  October 16, 2010
  @EricLaw: Given a domain zz.no, with sub domains auth.zz.no, community.zz.no... How can I make IE accept cookies set from auth.zz.no to work for all sub domains (incl parent domain zz.no) ?? ".zz.no" works in other browsers, but does not seem to work with IE.

• Anonymous
  October 16, 2010
  @andrerom: See Q6 above, and the post that I link to in the answer

• Anonymous
  October 16, 2010
  The comment has been removed

• Anonymous
  October 16, 2010
  The comment has been removed

• Anonymous
  October 16, 2010
  @EricLaw: Thanks, totally overlooked the IE8 part. Theoretically (overlooking that it won't work in IE6 / IE7): who do I contact in MS to report additional domain to add to the domain list?

• Anonymous
  October 18, 2010
  The comment has been removed

• Anonymous
  October 18, 2010
  @Bing: Generally speaking, this is expected. WebBrowser Controls and IE generally share persistent cookies (session cookies, by their per-process nature, are not shared). Now, the one caveat is that WebOCs and IE may not share cookies when running on Vista+ when Protected Mode is enabled, because Internet sites run at Low in IE and at Medium in most WebOC applications, and there's a partition between the Low and Medium cookie stores. I am not aware of any easy mechanism to opt-out of sharing the Persistent cookie store between a WebOC application and IE.

• Anonymous
  October 18, 2010
  Eric: From fiddler, Y&T cookies are session cookies because they don't have "expires" attribute. If so, why WebOC and IE still share Y&T cookies?

• Anonymous
  October 18, 2010
  @Bing: When Yahoo deletes the cookie, they send an Expires attribute in the past, don't they?

• Anonymous
  October 20, 2010
  I'm seeing an issue where users with their system clocks set in the future are unable to log into a site. Does IE use the "Date" response header as a base for comparison with a cookie's "expires" value or just use the system clock?

• Anonymous
  October 20, 2010
  @John: Very interesting question. I don't see any code that attempts to adjust the cookie's Expiration based on the server's DATE header. I'd imagine that such adjustments could cause some problems due to cached server responses on proxies.

• Anonymous
  November 11, 2010
  It's been a while since I looked at cookies, and I'm only doing so now because System.Gadget seems to be disabled in Vista Home Basic (I think, but can't confirm).  Anyway, it seems like Bill Dortch's 1996 work is still valid.  But I am puzzled.  Am I right in thinking that there is really only one conceptual cookie available to any web site/page/whatever, and that all the information is held as compound elements in a pushdown stack? Nowhere is document.cookie qualified with any name as such, only the crumbs.

• Anonymous
  November 11, 2010
  @John: I'm afraid I have absolutely no idea what you're talking about.

• Anonymous
  December 17, 2010
  Today we found a site that was setting a cookie like so:    document.cookie = "a=b;expires=99999" In some browsers, this will create a session cookie. In IE, this will typically set a cookie that expires in 1 second or less. In contrast, if you set a cookie like so:    document.cookie = "a=b;expires=99f999" The Expires parameter will be ignored and a session cookie will be created. The lesson? Don't set Expires if you want a Session cookie. If you want a Persistent cookie, send a well-formed Expires parameter.

• Anonymous
  January 04, 2011
  If you guys know about the obscure bug that prevents cookies set on a full path that includes the filename from showing up in document.cookie, why don't you fix it??? It seems to work in every other browser. Frustratingly yours, web developers.

• Anonymous
  February 08, 2011
  i'm using IE8 and i can move where temporary files are stored but not cookies. Why is that? Is there a registry setting to change where they are stored? I'm trying to preserve my solid state drive by using a ramdrive....but still it is persistant on saving cookies on my SSD when I set cache to ramdisk!!!

• Anonymous
  February 15, 2011
  An reason why IE9 can't implement max-age?

• Anonymous
  February 15, 2011
  @Ken: I'm not sure it would make sense to implement only one part of an RFC. Can you elaborate on the scenario?

• Anonymous
  April 07, 2011
  The comment has been removed

• Anonymous
  April 07, 2011
  @Vincent: No, IE only creates two cookies when you tell it to. The most common problem is when your server is available both with and without the "www". So the user goes to http://example.com which sets a cookie named e.g. ASPSESSIONID and redirects the user to http://www.example.com which also sets a cookie of the same name. At that point, two ASPSESSIONID cookies are sent to the server. You could fix this by not setting the cookie in the redirector page, or by specifying the DOMAIN attribute of both cookies as domain=example.com If you really think something else is going on, please send me a repro URL or network capture from Fiddler. But since IE's code has worked the same way for nearly >12 years, we're pretty confident in how it works.

• Anonymous
  April 07, 2011
  Thanks for the response Eric.  o.k. So I understand why this is happening, but I'm not sure of your proposed solution. I don't have a "redirector" page, unless I'm misunderstanding what you're meaning.  The server automatically prepends the www if I don't type it in.   I wouldn't really call that a re-direct as there is only one site, just two different ways to get there.   So when you say set the domain attribute of "both" cookies, that doesn't make sense to me.   My code only sets the cookie once, so how can I control "both" cookies.    Isn't the same code running twice, to create two cookies?  I did try setting the domain both with and without the www in my cookie but either way I still have the same probem. Obviously I'm a little bit confused still.

• Anonymous
  April 07, 2011
  @Vincent: How do you think the server "automatically prepends the www"?  Watch with Fiddler, and I expect you'll see the server returning a HTTP/301 or HTTP/302 redirect to the version with the "www" in it. If you send me a URL or a network capture, I'm happy to have a look.

• Anonymous
  December 27, 2011
  I am trying to retrieve IE cookie using InternetGetCookie function. Problem is that this function retrieves only first cookie. I want to retrive 2nd cookie set by that website. I tried using InternetGetCookie function twice but still only the first cookie is retrieved. What can be done to retrieve 2nd cookie? Thanks in advance

• Anonymous
  December 28, 2011
  @Avinash: Your confusion about this API is understandable. A more accurate name for the function would be InternetGetCookieRequestHeaderValue(). When you pass null for the cookie name, the function returns ALL cookies destined for the target URL, in one string. If you don't see a value you expect to see, then be sure that you're passing in the correct URL, that you're using IEGetProtectedModeCookie if you're trying to get Low Integrity cookies, and that you're passing the INTERNET_COOKIE_HTTPONLY flag if your code is not scriptable and the target cookie had the httponly attribute set.

• Anonymous
  January 24, 2012
  I got the cookie using InternetGetCookieEx function. But sometimes it returns the cookie value which have its expiry value set in past. I am using this function because InternetGetCookie() function does not return "HTTP_ONLY" marked cookies. So, I want to check the expiry date of the IE cookie which i get from InternetGetCookieEx().   Is there any way to do that? Thanks in advance.

• Anonymous
  January 24, 2012
  @Avinash: Please email me. I don't see how that's possible.

• Anonymous
  January 26, 2012
  sorry for posting it again. If possible delete last post, it is same thing again. Actually when a cookie's expiry date passes and IE is not running, then IE will delete it when it will run again. But during this time if my application tries to get the cookie using InternetGetCookieEx () function it gives me the cookie which is expired after IE was closed last time.

• Anonymous
  January 26, 2012
  Hi, when request is send from IE8 browser I am able to see 2 cookies with the same name being send but with different values. I want to reverse the order of these.. I want the second cookie to be first the list. e.g  dupcookie="test"; dupcookie="test2" --> this is how it is send. I want to send it as   dupcookie="test2"; dupcookie="test" How can I achieve this?

• Anonymous
  January 26, 2012
  @Ravi: You can't control the cookie order. The most common reason you end up two cookies with the same name is that they were set with different DOMAIN attributes (e.g. one on example.com and the other on www.example.com).

• Anonymous
  February 05, 2012
  @EricLaw: I'm using webbrowser control. I just want each webbrowser using it's own cookie. so, can i set path of cookie storage for each webbrowser?
  
  [EricLaw] No, there's no supported way to do that.

• Anonymous
  February 22, 2012
  Hi Eric, I'm using sessions in my application. When accessing the application through IP address, I can get the session successfully. However, I failed to get it when using localhost or domain name. BTW, I'm using IE 9. Thanks in advance.

• Anonymous
  February 22, 2012
  Suppose I wish to write my own IE addon to add back the Cookie blocked icon back to the IE9 status bar. Is there an API or programmatic way to get notification when IE blocks a cookie?

• Anonymous
  February 22, 2012
  @Windy: Please email me a Fiddler SAZ file showing your traffic. What does your Set-Cookie header look like? @XPClient: Extending the IE9 status bar is not a supported operation. Trident does bubble a notification from WinINET to the IE Frame when a cookie is blocked, but there's no supported mechanism for a plugin to "spy" on that notice.

• Anonymous
  July 05, 2012
  You can use plugin that store multiple values in a single cookie. github.com/.../localdata Apache default limit for get request size is 8k - two full cookies.

• Anonymous
  October 01, 2012
  @EricLaw - We have an issue with a site where IE 8/9 start sending requests leaving off a cookie, seemingly at random times.  e.g., Requests 1-30 -- all 25 cookies sent in raw HTTPRequest Request 31 -- only 24 cookies sent Request 32 -- only 23 cookies sent Each response does send a Set-Cookie header with a cookie called "currentSite", so my first thought is that we are hitting the 50 cookie limit somehow.  However, that theory doesn't really add up -- a) the cookie set on each response always has the same name/domain/path  and b) the cookie store for IE does not show 50+ cookies for the domain -- considerably less. Help!  (Please :))

• Anonymous
  January 06, 2014
  How do the cookies affect performance in general, i.e. an end-user timing experience? Thank you.