I spent an entire day last week trying to figure out why one of our staging sites wasn't working properly in IE6, and the same chunk of code at a different URL was working just fine. The problem ended up being that IE was blocking cookies from the affected domain. There are two reasons this might happen, and we were hit by both.
If your site is setting cookies from
http://yourstuff.com, but is being
iframed (or similar) from
http://theirstuff.com, Internet Explorer
will, by default, reject any cookies and display a privacy
notificaiton. This is because the domain of the cookie doesn't match
the domain the user is actually visiting.
It turns out that IE will accept third-party cookies that come with a proper P3P privacy header that fits with the user's security settings.
(An interesting side note: Safari comes with two settings for third-party cookeis: Always or Never, regardless of P3P headers.)
What ended up being our major issue was an underscore in our staging
site_one.yourstuff.com is, according to the URI
RFC, invalid. Internet Explorer
will do everything else with it, but the cookie handling module
apparently checks the domain field very strictly, and refuses to set
the cookie. Worse, it does so without ever telling the user, and the
only solution is to switch to a subdomain that doesn't contain invalid