How to overwrite CFID/CFTOKEN in ColdFusion 10?

Question

In order to logout an user, I always used the following lines:

<cfset structClear(SESSION)>
<cfcookie name="CFID" value="" expires="NOW">
<cfcookie name="CFTOKEN" value="" expires="NOW">

It clears the data kept in the session on runtime and resets/renews CFID and CFTOKEN. It does still work on our old server (ColdFusion 8), but it does no longer work on our new server (ColdFusion 10). The reason this attempt fails in ColdFusion 10 is rather simple: Whenever I try to overwrite CFID or CFTOKEN (with <cfcookie>), the cookie is placed on the top domain, e.g.:

Cookie set via <cfcookie> on ColdFusion 10:
domain: .myserver.com

while ColdFusion places its session cookies on the actual (sub)domain:

Generated CFID/CFTOKEN by ColdFusion 10:
domain: mywebsite.myserver.com

The funny thing is: If I set something like:

<cfcookie name="TEST" value="..." expires="NEVER">

the cookie is correctly set with:

domain: mywebsite.myserver.com

And I can easily clear the cookie using:

<cfcookie name="TEST" value="" expires="NOW">

I tried to use the domain property, but this:

<cfcookie name="CFID" value="" domain="mywebsite.myserver.com" expires="NOW">

always ends up as:

domain: .mywebsite.myserver.com

(notice the dot in front) and thus is not recognized as the same cookie.

Another strange thing is, that using:

<cfcookie name="CFID" value="" expires="NOW">

will not just generate a cookie with the wrong domain, but is kept instead of deleted as expired.

I checked the server settings for cookies on the ColdFusion 10 machine and the property Disable updating ColdFusion internal cookies using ColdFusion tags/functions is not checked.

Can anyone help me with this strange case?

score 7 · Answer 1 · edited May 23 '17 at 10:25

There has already been some in depth discussion about the behavior of <cfcookie> related to domains. The following posts mention that the workaround seems to be using <cfheader> to work with the cookies:

ColdFusion 10 CFCookie not honoring domain attribute
why doesn't cfcookie allow setting domain= to a subdomain for CFID/CFTOKEN?

After posting that question Henry actually entered a bug with Adobe on it:
https://bugbase.adobe.com/index.cfm?event=bug&id=3593673
You can add your comments/vote to the bug.

While I believe these references answer your questions regarding the <cfcookie> behavior that you are seeing, if you are only concerned with "expiring" the user's session then Scott's answer gives you a better way to invalidate the user's current session than manually setting the cookies.

Thanks for the input. I up-voted your reply, the least I can do. — Alex, Aug 05 '13 at 19:42

score 6 · Accepted Answer · answered Aug 05 '13 at 17:12

6

In ColdFusion 10, you can use sessionInvalidate() to accomplish this. You will not need to worry about removing the cookies either.

answered Aug 05 '13 at 17:12

Scott Stroz

7,510
2
21
25

I did not realize that this function existed in ColdFusion 10. Nice! I believe your answer better suits the OP's final goal. I tried to modify my answer to show that. – Miguel-F Aug 05 '13 at 17:38
Thanks for this great tip. It's a shame Adobe doesn't hint such a convenient function in the session chapters of the technical documentation. – Alex Aug 05 '13 at 19:47
Nice blog entry that describes the Improved Session Management in ColdFusion 10: http://www.shilpikhariwal.com/2012/03/improved-session-management-in.html – Scott Jibben Aug 06 '13 at 01:43

How to overwrite CFID/CFTOKEN in ColdFusion 10?

2 Answers2