ColdFusion 10 CFCookie does not honor domain attribute

Question

ColdFusion 10 CFCookie does not honor domain attribute

I have Application.cfc with the following settings:

<cfset THIS.Name = "Test01" /> <cfset THIS.ApplicationTimeout = CreateTimeSpan(1,0,0,0) /> <cfset THIS.sessionTimeout = CreateTimeSpan(1,0,0,0) /> <cfset THIS.clientManagement = false /> <cfset THIS.SessionManagement = true /> <cfset THIS.SetClientCookies = false /> <cfset THIS.setDomainCookies = false />

And I tried to send the following cookies:

 <cfcookie name="CFID" value="#session.CFID#" domain=".test01.domain.net" path="/" expires="never"> <cfcookie name="CFTOKEN" value="#session.CFTOKEN#" domain=".test01.domain.net" path="/" expires="never">

However, what is sent to the browser:

 Set-Cookie: CFID=6389; Domain=.domain.net; Expires=Fri, 12-Jun-2043 22:14:17 GMT; Path=/; HttpOnly: Set-Cookie: CFTOKEN=783fa62afecfd571%2DB1069303%2D3048%2D3344%2DAA97ADAF73598FA6; Domain=.domain.net; Expires=Fri, 12-Jun-2043 22:14:17 GMT; Path=/; HttpOnly

No matter what values I put in the domain or path, it always sends the same headers. If I try to use cfheader , it just does not send anything. The only time I can get it to send cookie headers without a domain value is set SetClientCookies to true:

 Set-Cookie: CFID=6391; Expires=Fri, 12-Jun-2043 22:21:38 GMT; Path=/; HttpOnly

However, I can no longer get rid of cookies with StructDelete and CFCookie with expiration of attributes (in fact, it creates a second set of cookies).

My main goal is simply to send CFID and CFTOKEN cookies without a domain (or at least without an initial period, for example test01.domain.net)

+4

coldfusion cookies coldfusion-10

Alex Jun 19 '13 at 22:22

source share

3 answers

Yes, it seems that <cfcookie> does too much, removing any domain value before .domain.tld . See: Why does cfcookie not allow setting domain = per subdomain for CFID / CFTOKEN?

I'm not sure why, but the workaround will use <cfheader>

+1

Henry Jul 11 '13 at 2:08

source share

To change session cookies in your code, you must add the following to your Application.cfc pseudo-constructor:

 <cfset this.sessioncookie.disableupdate = false>

This can also be controlled at the server level in the "Memory Settings" section of the CF administrator.

-1

Michael Jul 08 '13 at 17:50

source share

Alex · Accepted Answer · 2013-07-11T14:30:23+0000

Thanks to Henry, I again looked at using cfheaders, carefully examining the headers sent by CF10 when using <cfset this.SetClientCookies = true> . CF10 omitted the domain value in the header sent to the browser to copy the CF10 header and put it in cfheader:

 <cfheader name="Set-Cookie" value="CFID=#session.CFID#; Expires=#GetHttpTimeString(DateAdd("yyyy", 40, Now()))#; Path=/"> <cfheader name="Set-Cookie" value="CFToken=#session.CFToken#; Expires=#GetHttpTimeString(DateAdd("yyyy", 40, Now()))#; Path=/">

Lo ', and now, the browser received a cookie without a domain value having a leading period. I also deleted these cookies with the following code:

 <cfheader name="Set-Cookie" value="CFID=#session.CFID#; Expires=#GetHttpTimeString(Now()-1)#; Path=/"> <cfheader name="Set-Cookie" value="CFToken=#session.CFToken#; Expires=#GetHttpTimeString(Now()-1)#; Path=/"> <cfset StructClear(session)> <cflocation url="/" addtoken="no">

The only quirk that seems to be that by checking this block of code using the url variable in Chrome, Chrome sent an HTTP request by simply typing ?ResetSen in the address bar, causing a second request when I hit enter. ~~This will lead to such strange things as skipping CFID (7249 → 7251) or just sending both sets of cookies (expiration: indefinite and expires: now).~~

Nevermind, the real problem is the expiration time (two requests in the same second), I changed this part to #GetHttpTimeString(Now()-1)# , which was one day in the past and it seems to be holding on.

Originally it is:

 <cfheader name="Set-Cookie" value="CFID=#session.CFID#; Domain=test01.domain.net;Expires=Sat, 04-Jul-2043 13:24:38 GMT; Path=/"> <cfheader name="Set-Cookie" value="CFToken=#session.CFToken#; Expires=Sat, 04-Jul-2043 13:24:38 GMT; Path=/">

Sent:

 Set-Cookie: CFID=7191; Domain=test01.domain.net; Expires=Sat, 04-Jul-2043 13:24:38 GMT; Path=/ Set-Cookie: CFToken=33b984d7a56f6356-0B97F3CF-3048-3344-AABF2B698F4B8B02; Domain=test01.domain.net; Expires=Sat, 04-Jul-2043 13:24:38 GMT; Path=/

That the browser receives as .test01.domain.net , which I wanted to avoid.

ColdFusion 10 CFCookie does not honor domain attribute

More articles: