Login Fails from IE to subdomains only!

We currently run identical code on three Rails environments:
staging.oururl.com sandbox.oururl.com and www.oururl.com and have the
f**ing craziest problem:

Users with IE, intermittengly, cannot login to the Rails apps that have
subdomains! Users with FF have no problem and both browsers have no
problem with www.oururl.com.

We've gone so far as to switch the databases from sandbox.oururl.com
and www.oururl.com with the exact same results.

Our environment: Apache 2.2/mongrel 0.3.13.3/cluster 0.2 on Rimuhost
and control code posted below.

Any help or a push in the right direction appreciated.

Thanks, Brittain

Cross posted to mongrel list.

Brittain wrote:

We currently run identical code on three Rails environments:
staging.oururl.com sandbox.oururl.com and www.oururl.com and have the
f**ing craziest problem:

Users with IE, intermittengly, cannot login to the Rails apps that have
subdomains! Users with FF have no problem and both browsers have no
problem with www.oururl.com.

We've gone so far as to switch the databases from sandbox.oururl.com
and www.oururl.com with the exact same results.

Our environment: Apache 2.2/mongrel 0.3.13.3/cluster 0.2 on Rimuhost
and control code posted below.

Any help or a push in the right direction appreciated.

Thanks, Brittain

Cross posted to mongrel list.

===

  def login
    #logger.debug("login(#{cookies[:remember_me]})")
    @remember_me = cookies[:remember_me]
    @email = (@remember_me ? cookies[:remembered_email] : nil)
    return unless request.post?

    self.current_user = User.authenticate(params[:email],
params[:password])
    if current_user
      cookies[:remember_me] = {:value => params[:remember_me], :expires
=> Time.now + 60.days}
      cookies[:remembered_email] = {:value => (params[:remember_me] ?
params[:email] : nil), :expires => Time.now + 60.days}

      flash[:notice] = "Logged in successfully"
      redirect_back_or_default(last_pin)
    else
      flash[:notice] = "Invalid e-mail or password information"
    end
  end

I have seen something similar that was a cookie problem.

I had an issue many years ago on a perl site. The site was available
as http://www.example.com, as well as http://example.com. Both urls
pointed to the same site. The site was to remember the session for up
to a certain number of days.

If someone logs in to example.com (no www), they get a cookie with the
session id and an expiration date:

Name session_id
Value 482226ec396b8463c65f76016f831360
Host example.com
Path /secure
Secure No
Expires Monday, November 27, 2006 1:52:25 PM

If they later come back and log in to www.example.com, they get not a
completely new cookie (what I expected), but what I would call a
combined cookie:

Name session_id
Value 482226ec396b8463c65f76016f831360
Host example.com
Path /secure
Secure No
Expires Monday, November 27, 2006 1:52:25 PM

Name session_id
Value 434f23dcdb8e133925743550bd8353c2
Host www.example.com
Path /secure
Secure No
Expires Monday, November 27, 2006 1:53:14 PM

Note that there are two session_ids, only separated by a different
Host. Which one will be returned to your code? I don't know what
rails does, but I guess it would be a failure in some cases.

I could not find the rhyme or reason why this would be the case, but
the phone calls came when one of the session keys expired, and the perl
script was trying to activate the session.

My solution was to expire all the sessions, and then use an absolute
URL to the login page as http://example.com/secure/login.pl, which
would be problematic for you.

I suggest you dump the cookie from the disk of the one of the failures.
I suspect you will find that it is caused by folks trying to log in to
a different subdomains then where they previously were.

Sorry, I don't have a solution to the problem. I more or less just
worked around it for my case.

HTH

Regards,
Rich