jump to article
...intermittent thoughts

don’t use underscores in hostnames...

Yesterday and today a very strange behavior of Internet Explorer occupied me and my colleagues. There was a server migrated into a new Active Directory Domain and though its hostname appeared to be differently reachable. That new hostname was something like
subdomain._server.masterdomain._organization.mydomain.tld
and the server was reachable very easily. Unfortunately Internet Explodrer was unable to perform a session based login to that server and all attempts to store a cookie on a page opened from that server failed silently. Tracking this issue down with Firefox was impossible, since Firefox was not only able to store the cookie but also to login to the Domino Server. So we ended up on a trial and error seek to find out more. At the end, we tried to create a cookie via JavaScript, avoiding any further server traffic. That way we were able to exclude Domino from being the bad guy. And in fact - the cookie was simply not set and IE did show up the notification, Cookies were not allowed for that particular site - which was simply untrue, since IE was configured to act as insecure as possible and to trust absolutely anything for that moment. No way - the cookie was not accepted.
We then changed the machines host file to reach that server by the same name but without the underscores:
subdomain.server.masterdomain.organization.mydomain.tld
It worked out immediately!

It looks a bit like this naming is not compliant to several RFCs. IE's cookie subsystem seems to be quite picky about that. A quick look though RFC-921 (hey, very old but good in that case) says, a name (read, the part between two periods) must not start with anything else than a letter. That rule is hurt here for sure by the underscores. While RFC-1123 allows a more relaxed naming but still does not allow underscores at the beginning, it also refers to RFC-952, which mentions name parts of a host name have to start with a letter. So it looks like IE is not really the bad guy - the real problem is "just" the naming of the host. This is especially hard, since the browser itself resolves that name by using DNS, so contacting that host and retrieving data in general works - but the cookie subsystem works different, which is quite intransparent to the user as well as the admin as well as the developer.

Well long text and confusing links - this all has lead to one single conclusion to me:
Lesson learned:
Do not use underscores in hostnames - ever!
  1. 1) David Killingsworth said: (11.02.2009 3:42:58 GMT)
    don’t use underscores in hostnames...

    You cannot use underscores if you have a SSL certificate either.

    So if you want to match your hostname with your HTTPS server, you'll need to make sure that you're hostname does not have underscores.

    Of course, the same applies to virtual HTTPS servers.


Add Comment
 
Subject:
   
Name:
E-mail:
Web Site:
 
Comment:  (No HTML - Links will be converted if prefixed http://)
 
Remember Me?