tracker issue : CF-3593673

select a category, or use search below
(searches all categories and all time range)
Title:

Domain attribute of cfcookie is always trimmed to .domain.tld

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/

Reporter/Name(from Bugbase): Henry Ho / Henry Ho (Henry Ho)

Created: 07/11/2013

Components: Security

Versions: 10.0

Failure Type:

Found In Build/Fixed In Build: Final / CF10_Update14

Priority/Frequency: Major / All users will encounter

Locale/System: English / Win All

Vote Count: 4

Problem Description:

Domain attribute of cfcookie is always trimmed to ".domain.tld" which could be problematic especially when session are not supposed to be shared across subdomains.

Steps to Reproduce:

<cfcookie name="CFID" value="#session.cfid#" domain=".subdomain.domain.tld">

Actual Result:  Set-Cookie: CFID=4215; Domain=.domain.tld; Expires=Sat, 04-Jul-2043 01:43:49 GMT; Path=/; HttpOnly

Expected Result:  Set-Cookie: CFID=4212; Domain=.subdomain.domain.tld; Expires=Sat, 04-Jul-2043 01:37:03 GMT; Path=/; HttpOnly

Any Workarounds:  Use <cfheader> instead of <cfcookie>

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	3593673

External Customer Info:
External Company:  
External Customer Name: henrylearn2rock
External Customer Email:  
External Test Config: My Hardware and Environment details:

Attachments:

Comments:

http://stackoverflow.com/questions/17583768/why-doesnt-cfcookie-allow-setting-domain-to-a-subdomain http://stackoverflow.com/questions/17202403/coldfusion-10-cfcookie-not-honoring-domain-attribute
Comment by External U.
14996 | July 11, 2013 12:31:58 PM GMT
note that when setdomainCookies=true, the domain is also always ".domain.tld" even though the host_name has a subdomain
Comment by External U.
14997 | July 11, 2013 12:32:55 PM GMT
related to: https://bugbase.adobe.com/index.cfm?event=bug&id=CF-3572565 http://forums.adobe.com/message/5329911
Comment by External U.
14998 | July 11, 2013 12:35:07 PM GMT
this behaviour is only observed if name attribute of cfcookie is "CFID" or "CFTOKEN"
Comment by External U.
14999 | July 11, 2013 12:37:28 PM GMT
This causes session issues in environments where other ColdFusion applications coexist.
Vote by External U.
15002 | July 14, 2013 09:46:43 AM GMT
This causes issues in an environment where shared hosting is used and other ColdFusion applications coexist.
Vote by External U.
15003 | July 15, 2013 02:14:49 PM GMT
ruins our session management. huge user impact.
Vote by External U.
15004 | November 05, 2013 10:51:44 AM GMT
Verified response headers Set-Cookie:AAAAA=1111; Domain=.subdomain.domain.tld; Expires=Sun, 15-Mar-2082 16:01:57 GMT; Path=/ Domain attribute is not getting trimmed post fix . (Comment added from ex-user id:yrr)
Comment by Adobe D.
15000 | February 25, 2014 07:37:14 AM GMT
Please release this fix soon.
Comment by External U.
15001 | March 10, 2014 04:47:23 PM GMT
Please release the fix soon.
Vote by External U.
15005 | March 10, 2014 04:47:41 PM GMT