ColdFusion 10 CFCookie not honoring domain attribute

Question

I have an Application.cfc with the following settings:

<cfset THIS.Name = "Test01" />
<cfset THIS.ApplicationTimeout = CreateTimeSpan(1,0,0,0) />
<cfset THIS.sessionTimeout = CreateTimeSpan(1,0,0,0) />
<cfset THIS.clientManagement = false />
<cfset THIS.SessionManagement = true />
<cfset THIS.SetClientCookies = false />
<cfset THIS.setDomainCookies = false />

And I attempted to send the following cookies:

<cfcookie name="CFID" value="#session.CFID#" domain=".test01.domain.net" path="/" expires="never">
<cfcookie name="CFTOKEN" value="#session.CFTOKEN#" domain=".test01.domain.net" path="/" expires="never">

However, what gets sent to the browser is:

Set-Cookie: CFID=6389; Domain=.domain.net; Expires=Fri, 12-Jun-2043 22:14:17 GMT; Path=/; HttpOnly:
Set-Cookie: CFTOKEN=783fa62afecfd571%2DB1069303%2D3048%2D3344%2DAA97ADAF73598FA6; Domain=.domain.net; Expires=Fri, 12-Jun-2043 22:14:17 GMT; Path=/; HttpOnly

No matter what values I put in domain or path, it always sends those same headers. If I try to use cfheader it simply sends nothing. The only time I can get it to send cookie headers without a domain value is by setting SetClientCookies to true:

Set-Cookie: CFID=6391; Expires=Fri, 12-Jun-2043 22:21:38 GMT; Path=/; HttpOnly

However I can no longer get rid of the cookies by using StructDelete nor CFCookie with the attributes expires now (in fact it creates a second set of cookies).

My main goal is to simply send CFID and CFTOKEN cookies without a domain (or at the very least without a leading period, e.g. test01.domain.net)

Have you seen this article on [setting up HTTPOnly cookies](http://www.petefreitag.com/item/764.cfm)? On CF10, it's a matter of setting `this.sessioncookie.httponly = true` in Application.cfc. — imthepitts, Jun 20 '13 at 19:04
Setting `this.sessioncookie.httponly = true` and `THIS.SetClientCookies = false`, CF still ignores any cfcookie attributes when the name attribute is either `CFID` or `CFTOKEN`. The server original had HTTPOnly set to true in the CFAdmin. — Alex, Jun 21 '13 at 14:34
see: http://stackoverflow.com/questions/17583768/why-doesnt-cfcookie-allow-setting-domain-to-a-subdomain — Henry, Jul 11 '13 at 02:06

Alex · Accepted Answer · 2013-07-11T14:45:40.693

Thanks to Henry I took a look at using cfheaders again by having a closer look at the headers sent by CF10 when using <cfset this.SetClientCookies = true>. CF10 omitted the domain value in the header sent to the browser so I copied the header CF10 sent and put it in a cfheader:

<cfheader name="Set-Cookie"  value="CFID=#session.CFID#; Expires=#GetHttpTimeString(DateAdd("yyyy", 40, Now()))#; Path=/">
<cfheader name="Set-Cookie"  value="CFToken=#session.CFToken#; Expires=#GetHttpTimeString(DateAdd("yyyy", 40, Now()))#; Path=/">

Lo' and behold the browser received the cookie without the domain value having a leading period. I also managed to expire those cookies with the following code:

<cfheader name="Set-Cookie"  value="CFID=#session.CFID#; Expires=#GetHttpTimeString(Now()-1)#; Path=/">
<cfheader name="Set-Cookie"  value="CFToken=#session.CFToken#; Expires=#GetHttpTimeString(Now()-1)#; Path=/">
<cfset StructClear(session)>
<cflocation url="/" addtoken="no">

The only quirk it seems that while testing out that block of code using a url variable in Chrome, Chrome would send out a HTTP request when simply typing ?ResetSen in the address bar causing a second request when I hit enter. This would lead to oddities such as skipping a CFID (7249 -> 7251) or just sending out both sets of cookies (expire: indefinite and expires: now).

Nevermind, the real issue seems to be the expiry time not elapsing (two requests in the same second), I changed that portion to #GetHttpTimeString(Now()-1)# which is one day in the past and that seems to holding up.

Originally this:

<cfheader name="Set-Cookie"  value="CFID=#session.CFID#; Domain=test01.domain.net;Expires=Sat, 04-Jul-2043 13:24:38 GMT; Path=/">
<cfheader name="Set-Cookie"  value="CFToken=#session.CFToken#; Expires=Sat, 04-Jul-2043 13:24:38 GMT; Path=/">

Sent this:

Set-Cookie: CFID=7191; Domain=test01.domain.net; Expires=Sat, 04-Jul-2043 13:24:38 GMT; Path=/
Set-Cookie: CFToken=33b984d7a56f6356-0B97F3CF-3048-3344-AABF2B698F4B8B02; Domain=test01.domain.net; Expires=Sat, 04-Jul-2043 13:24:38 GMT; Path=/

Which the browser receives as .test01.domain.net which is what I wanted to avoid.

score 1 · Answer 2 · edited May 23 '17 at 11:49

1

Yes, this does seem like <cfcookie> is doing too much by stripping any domain value to .domain.tld. See: why doesn't cfcookie allow setting domain= to a subdomain for CFID/CFTOKEN?

I'm not sure why, but the workaround would be using <cfheader>

edited May 23 '17 at 11:49

Community

1
1

answered Jul 11 '13 at 02:08

Henry

32,689
19
120
221

Michael · Answer 3 · 2013-07-08T18:13:29.317

-1

In order to modify session cookies in your code you should add the following in your Application.cfc pseudo-constructor:

<cfset this.sessioncookie.disableupdate = false>

This can also be controlled at the server level under the 'Memory variables' section in the CF administrator.

edited Jul 08 '13 at 18:13

answered Jul 08 '13 at 17:50

Michael

1,643
1
15
31

No dice, CF10 hijacks the command and sends the same old cookie header. I've relented and decided to look at my initial problem the other way (at the session instead of the cookies) and simply destroy the session (`StructClear(session)`) and let CF10 assign the CFID/CFTOKEN to the newly created session scope. – Alex Jul 08 '13 at 19:27

ColdFusion 10 CFCookie not honoring domain attribute

3 Answers3

Linked