diff --git a/lib/wsapi.js b/lib/wsapi.js
index 14e6ec1ea2f8d6211ef165cf55718c8d1c75395c..4bc001d41cbe85de69c2afa5c28f85ed63f9d5aa 100644
--- a/lib/wsapi.js
+++ b/lib/wsapi.js
@@ -38,7 +38,18 @@ var abide = i18n.abide({
 });
 
 const COOKIE_SECRET = secrets.hydrateSecret('browserid_cookie', config.get('var_path'));
-const COOKIE_KEY = 'browserid_state';
+var COOKIE_KEY = 'browserid_state';
+
+// to support testing of browserid, we'll add a hash fragment to the cookie name for
+// sites other than browserid.org.  This is to address a bug in IE, see issue #296
+if (config.get('public_url').indexOf('https://browserid.org') !== 0) {
+  const crypto = require('crypto');
+  var hash = crypto.createHash('md5');
+  hash.update(config.get('public_url'));
+  COOKIE_KEY += "_" + hash.digest('hex').slice(0, 6);
+}
+
+logger.info('session cookie name is: ' + COOKIE_KEY);
 
 function clearAuthenticatedUser(session) {
   session.reset(['csrf']);
diff --git a/tests/cookie-session-security-test.js b/tests/cookie-session-security-test.js
index 9ca0f4d109ba31bce04acffe5187d061b234fc60..dd3466090546e782684210debf352d2e15e024e4 100755
--- a/tests/cookie-session-security-test.js
+++ b/tests/cookie-session-security-test.js
@@ -52,7 +52,7 @@ suite.addBatch({
           wsapi.clearCookies();
 
           // mess up the cookie
-          var the_match = first_cookie.match(/browserid_state=([^;]*);/);
+          var the_match = first_cookie.match(/browserid_state(?:_[a-z0-9]+)?=([^;]*);/);
           assert.isNotNull(the_match);
           var new_cookie_val = the_match[1].substring(0, the_match[1].length - 1);
           wsapi.injectCookies({browserid_state: new_cookie_val});