Persistent cookies from a servlet in IE

Question

I have a cookie which is generated from a servlet and that I would like to be persistent - that is, set the cookie, close down IE, start it back up, and still be able to read the cookie. The code that I'm using is the following:

HttpServletResponse response = 
    (HttpServletResponse) FacesContext.getCurrentInstance()
    .getExternalContext().getResponse();

Cookie cookie = new Cookie("someKey", "someValue");
cookie.setMaxAge(7 * 24 * 60 * 60);
response.addCookie(cookie);

This works great in firefox, but in IE 6/7, the cookie is not saved between browser restarts. I've checked everything that I can think of in my settings, but can't figure out what would be causing the cookie to be deleted. As far as I know, calling setMaxAge with a positive number makes the cookie persistent. Any ideas why this would be going wrong?

Edit

I have verified, using the more info trick suggested by Olaf, that the cookie is attempting to be set as a session cookie, not a persistent cookie; the max age is set to "end of session". So it doesn't seem like the max age is being set for IE - I have verified that in Firefox, the max age is set correctly. I still have no idea what's going on.

Answer 1

Few suggestions.

1. Are you using fqdn to access the site?
2. use fiddler to check how does the cookie looks in the http response.
3. Check if other sites on the internet are storing cookies successfully.

Answer 2

As I don't use windows this is some fainted memory: If you set your IE cookie settings to "ask for permission" each time a cookie is set - doesn't it show how long the cookie is supposed to be valid? Also, you might want to add the site to another security zone (local or whatever that was called) in order to get completely different settings and try again then.

Hope this helps...

Answer 3

I know nothing of Java or servlets, but IE will only persist a cookie if it has an Expires date, setting max-age is not sufficient, IE will continue to treat it as a session cookie.

Answer 4

This http://www.mail-archive.com/[email protected]/msg52249.html has the answer, but doesn't really explain why.

That is, by encoding @ (which is an unacceptable character in version 0 cookies), the cookie sent in the response has it's version set to 0 (acceptable to IE) rather than 1 (a different format and therefore unacceptable IE).

My issue was the sort of the same. We were Base64 encoding our cookie value and sending it down. However, Base64 includes characters like '=' ... which is again illegal in version 0 and thereby unacceptable to IE.

The mystery that remains for me is: some part of the stack is 'smart' enough to recognize that the cookie value is invalid as a version 0 cookie and decides to send the response as a version 1 cookie (which includes explicit version number, the "unacceptable" characters, max-age rather than expires field, etc.) I don't know if it's Tomcat, Faces, Spring or javax.servlet which makes the decision to flip the version.

Bottom line: URI encoding on the value of the cookie will ensure the cookie set to the browser is version 0 and therefore persisted by IE.