Many websites offer a “Log in” capability where they don’t manage the user’s account; instead, they offer visitors the ability to “Login with <identity provider>.” When the user clicks the Login button on the original relying party (RP) website, they are navigated to a login page at the identity provider (IP) (e.g. login.microsoft.com) and then redirectedContinue reading “Challenges with Federated Identity in modern browsers”
Tag Archives: cookies
Surprise: Undead Session Cookies
I’ve been working on browsers professionally for 12 of the last 15 years, and in related areas for 20 of the last 20, and over the years I’ve discovered enough surprises in browser behavior that they’re no longer very surprising. Back in April, I wrote up a quick post explaining how easy it is toContinue reading “Surprise: Undead Session Cookies”
Edge79+ vs. Edge18 (Edge Legacy) vs. Chrome vs. Internet Explorer
Note: I expect to update this post over time. Last update: Sept 29, 2025. Compatibility Deltas As our new Edge Insider builds roll out to the public, we’re starting to triage reports of compatibility issues where Edge79+ (the new Chromium-based Edge, aka Anaheim) behaves differently than the old Edge (Edge18, aka Spartan, aka Edge Legacy)Continue reading “Edge79+ vs. Edge18 (Edge Legacy) vs. Chrome vs. Internet Explorer”
Delete Cookies for a Single Site
Resolve Network Errors by deleting cookies for a single website.
Private Browsing Mode
Note: This blog post was originally written before the new Chromium-based Microsoft Edge was announced. As a consequence, it includes discussion of the behavior of the Legacy Microsoft Edge browser. The new Chromium-based Edge behaves largely the same way as Google Chrome. Last Update: 13 June 2025 InPrivate Mode was introduced in Internet Explorer 8Continue reading “Private Browsing Mode”
Cookie Limits
I’ve been writing about Cookies a lot recently, and also did so almost a decade ago. Edge/IE cookie limits The June 1018 Cumulative Updates increased the per-domain cookie limit from 50 to 180 for IE and Edge Legacy across Windows 7, Windows 8.1, and Windows 10 (TH1 to RS2). This higher limit matches Chrome’s cookie jar. InContinue reading “Cookie Limits”
Cookie Controls, Revisited
Update: The October 2018 Cumulative Security Update (KB4462919) brings the RS5 Cookie Control changes described below to Windows 10 RS2, RS3, and RS4. Note: Most of the content about “Edge” in this post describes Edge Legacy– modern Edge is based on Chromium and behaves mostly like Chrome. See more discussion of 3P cookies in 2022’s NewContinue reading “Cookie Controls, Revisited”
Cookies and Concurrency, Redux
Note: This post concerns Edge Legacy (aka Spartan) and does not apply to the modern Chromium-based Edge. In yesterday’s episode, I shared the root cause of a bug that can cause document.cookie to incorrectly return an empty string if the cookie is over 1kb and the cookie grows in the middle of a DOM document.cookieContinue reading “Cookies and Concurrency, Redux”
ERROR_INSUFFICIENT_BUFFER and Concurrency
Many classic Windows APIs accept a pointer to a byte buffer and a pointer to an integer indicating the size of the buffer. If the buffer is large enough to hold the data returned from the API, the buffer is filled and the API returns S_OK. If the buffer supplied is not large enough toContinue reading “ERROR_INSUFFICIENT_BUFFER and Concurrency”
Duct Tape and Baling Wire–Cookie Prefixes
Update: Cookie Prefixes are supported by Chrome 49, Opera 36, and Firefox 50. Test page; no status from the Edge team. A new cookie feature called SameSite Cookies has been shipped by Chrome, Firefox and Edge; it addresses slightly different threats. When I worked on Internet Explorer, we were severely constrained on development resources. WhileContinue reading “Duct Tape and Baling Wire–Cookie Prefixes”
text/plain 