SmartLogic Logo (443) 451-3001

The SmartLogic Blog

SmartLogic is a web and mobile product development studio based in Baltimore. Contact us for help building your product or visit our website to learn more about what we do.

Problems with restful_authentication Plugin and Internet Explorer Cookies

July 11th, 2008 by

I just ran into a fairly obscure bug. Bit me pretty good and stole an hour from me on an otherwise quiet Friday afternoon.

How the Problem Manifested Itself: Using restful_authentication, I could log in fine using Firefox and Opera, but not Internet Explorer or Safari. I figured, it’s just an HTML POST, nothing special, so what could be going wrong? I started to tail my logfile, and the session#create action was working properly. It was redirecting to a protected page, signifying that the login was successful. However, there was a second redirect occurring immediately after, sending me back to the login page. Here’s a tail of the logfile:

Processing SessionsController#create (for 2008-07-11 16:09:32) [POST]
  Session ID: 8375beba8418d2f58363b1a05ea93c79
  Parameters: {"commit"=>"Log in", "action"=>"create", "controller"=>"sessions", "password"=>"", "login"=>""}
  User Load (0.000701)   SELECT * FROM `users` WHERE (`users`.`login` = '') LIMIT 1
Redirected to
Completed in 0.00163 (611 reqs/sec) | DB: 0.00070 (42%) | 302 Found []

Processing DashboardController#index (for at 2008-07-11 16:09:32) [GET]
  Session ID: 2a01076513064cce771c062a01da5e54
  Parameters: {"action"=>"index", "controller"=>"dashboard"}
Redirected to
Filter chain halted as [#<ActionController::Filters::ClassMethods::SymbolFilter:0x7f4f3ef7d458 @filter=:login_required>] rendered_or_redirected.
Completed in 0.00043 (2309 reqs/sec) | DB: 0.00000 (0%) | 302 Found []

Processing SessionsController#new (for at 2008-07-11 16:09:32) [GET]
  Session ID: c8c497cb737dbb7a5977b76ef2a38a04
  Parameters: {"action"=>"new", "controller"=>"sessions"}
Rendering template within layouts/login
Rendering sessions/new
Completed in 0.00108 (928 reqs/sec) | Rendering: 0.00099 (92%) | DB: 0.00000 (0%) | 200 OK []

The first thing that caught my eye was “Filter chain halted…..”. The login_required before_filter (used by restful_authentication) was failing despite the fact that I was able to successfully authenticate in the previous POST to session#create. The next thing that caught my eye was the fact that each of the three requests above has a distinct session id. This suggested to me that there was a problem with the session cookie being set. A little bit of head scratching and several google searches later, I came upon….

The Real Problem: I was accessing the site through a domain name that contained an underscore (e.g. Why is this a problem? Well, Internet Explorer (and I suppose Safari) rejects cookies for domains that contain an underscore. Oddly enough, I found the solution on a Passenger Forum Post.

As soon as I changed the domain name through which I was accessing my staging server, the problem disappeared.

  • George Anderson

    I ran into the same issue. Frustrating, to say the least. After suitably cursing IE, I came to discover underscores are verboten in domain names.


    [Domain names (including subdomains] must start with a letter, end with a letter or digit, and have as interior characters only letters, digits, and hyphen.

    Hyphens, yes. Underscores, no.

    After working with Ruby for a bit, you start to prefer the underscore to the hyphen. Unfortunately, that doesn’t work with domain names.

    Interestingly, using different forms on to attempt to register a domain name with an underscore, you either break the page, or get a useful error message: “Please use only letters, numbers or dashes [-]. Do not enter spaces, periods [.] or other punctuation.”

  • John Trupiano

    Thanks for the extra link George– When you think about it, this is all really my fault. A registrar wouldn’t sell me a domain name with an _. But there’s nothing stopping me from setting up DNS for a subdomain with one…

  • F

    I faced the same problem with IE. IE sometimes does not set the session cookie if its name has an underscore.
    In ActionController::Base.session in config/initializers/session_store.rb
    the key generated by rails was _projectname_session. Those underscores were the culprit. After removing them, IE set the session cookie.
    To help others who may face a similar situation,
    this problem manifested every few weeks, not all the time, and disappeared after a few hours. It seems for some people changing the expiration time of cookies fixed the problem , but for me deleting the underscores fixed it.

  • jim

    Thanks a ton F . You surely saved my day..:) However i am having issue giving timeout in with cookie store. Any workaround for that? Cheers


John Trupiano co-founded SmartLogic with Yair Flicker in May 2005 and was co-president through 2011. Check out his GitHub Projects or follow @jtrupiano on Twitter.

John Trupiano's posts