I have JavaScript hosted in domain A that makes JSONP requests to a service in domain B. Request B / Auth sets a cookie containing an authentication token. Subsequent requests to other services in domain B should also contain this cookie.
In Chrome, this mechanism works fine; A cookie is set, sent and data returned. In IE10, the Set-Cookie header is returned with a response from B / Auth, but is not included in subsequent requests.
Set-Cookie MINT_SESSIONTOKEN=MyDST={TOKEN}; expires=Thu, 10-Oct-2013 11:57:45 GMT; path=/; HttpOnly
After some trying and experimenting, I found that if I set the privacy settings of IE ("Internet Options"> "Privacy") to "Low" or "Accept all cookies", the cookie is sent with subsequent requests to domain B. Any setting above, than "Low", prevents the use of cookies sent.
While this solves the problem for me, it does not solve the problem for users who would need to reconfigure their privacy settings to receive data.
I'm a little confused as to what exactly is going on under the hood. I think that IE sees the cookie as a third party and does not allow it to be set (despite the fact that the cookie is set and sent to domain B), so it is not indicated in subsequent requests.
Is there something I can do to prevent IE from blocking cookies without having to change the privacy settings of my browser?
source share