This blog post shows up in Google when searching for this problem, and is a better explanation that I can give here: http://cephas.net/blog/2008/11/18/tomcat-6018-version-1-cookies-acegi-remember-me-and-ie/ To summarize, in 6.0.18, the way Tomcat writes persistent cookie headers was changed from: Set-Cookie: yankeessuck=YWFyb246MTIyODI0ODEwMjk5NjoyOGM5ODc4YzExOGZiOGZjZTBkZDE0ZTA1ZWRhZTM3Nw==; Expires=Thu, 19-Nov-2009 02:29:29 GMT; to: Set-Cookie: yankeessuck="YWFyb246MTIyODI0ODEwMjk5NjoyOGM5ODc4YzExOGZiOGZjZTBkZDE0ZTA1ZWRhZTM3Nw=="; Version=1; Max-Age=31536000; The value was enclosed in quotes, a "Version=1" parameter was added, and the Expires parameter was replaced with a Max-Age parameter. Though cookies are written correctly to specification, Internet Explorer (6 and 7) and Safari do not support the Max-Age parameter. As a result, an application writing persistent cookies in this version of Tomcat won't work for Internet Explorer or Safari.
Created attachment 23027 [details] Simple JSP that reproduces the behavior.
Created attachment 23028 [details] Patch to always include Expires parameter regardless of version This patch adds the Expires cookie parameter in addition to the Max-Age parameter. Though not technically to the cookies spec, it works. Tested in Google Chrome, Firefox 3.0 and IE7.
For completeness, the cookie parsing changes were required to correct various security vulnerabilities. I really don't like the idea of adding work arounds to Tomcat for bugs in other software but I don't see a choice here. I have applied a variation of your patch to trunk and proposed it for 6.0.x. The variation is making the addition of the expires header optional. There are occassional ASF/MS get togethers where issues like this can be raised (and hopefully fixed). I have a list of things to raise at the next one and I've added this to it. As far as I am aware there are no dates set for the next get together so don't expect an IE fix any time soon.
This has been fixed in 6.0.x and will be included in 6.0.19 onwards.
The problem is also with Firefox 3.6.3 and Tomcat 6.0.26. When reading Cookie via Firefox API: function getCookie(name, host) { var cookieManager = Cc["@mozilla.org/cookiemanager;1"].getService(Ci.nsICookieManager); var iter = cookieManager.enumerator, { nsICookie } = Ci; while (iter.hasMoreElements()) { var cookie = iter.getNext(); if (cookie instanceof nsICookie && cookie.name == name && cookie.host == host) { return cookie.value; } } return null; } It reads quoted values with quotes around them - which is obviously wrong. Seems, that only Tomcat respects the RFC :(.