tracker issue : CF-4197174

select a category, or use search below
(searches all categories and all time range)
Title:

Coldfusion does not expire empty-value cookies in IE

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/Fixed

Reporter/Name(from Bugbase): Joel Grimes / Joel Grimes (Joel Grimes)

Created: 10/31/2016

Components: Language

Versions: 2016,11.0,2018

Failure Type:

Found In Build/Fixed In Build: CF2016_Update3 / 302433

Priority/Frequency: Major / All users will encounter

Locale/System: English / Windows 7

Vote Count: 1

Listed in the version 2016.0.04.302561 Issues Fixed doc 
Problem Description:
In Internet Explorer, trying to set or expire an empty cookie results in a new session cookie with the name "cookieX" where X is some number and a value of "Y=" where Y is the cookie name.

Steps to Reproduce:
<cfcookie value="" name="A" expires="now" />

Actual Result:
IN Internet Explorer:
New session cookie with name: cookie1 Value:"A=" and expires="session".

Expected Result:
Cookie A will expire (expiration date in the past)

Any Workarounds:
None found.  Potential workarounds must BOTH set the cookie in the cookie struct AND send a properly dated cookie header.  The possible workarounds are a Catch-22:  
    Using CFHEADER to send the cookie does not update the cookie struct
    Modifying the cookie struct directly will send the cookie and result in an additional, undeletable session cookie.

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	4197174

External Customer Info:
External Company:  
External Customer Name: Joel Grimes
External Customer Email:  
External Test Config: CF 2016 update 3

Internet Explorer 11

Attachments:

  1. November 01, 2016 00:00:00: 1_BlankCookieDateBug.png

Comments:

In Internet Explorer this is resulting in unexpected logouts. IE has a 50 cookie limit and as the new, unwanted session cookies pile up, older, valid cookies are removed. Viewed in Fiddler, the set cookie header for an empty cookie looks like this in CF2016, no matter what date is used for the expires attribute: Set-Cookie: A=; Max-Age=0; Path=/ In CF9: Set-Cookie: A=;expires=Sat, 31-Oct-2015 22:16:24 GMT;path=/ IF the cookie has a value, the set cookie header in CF 2016 correctly includes the expiration date Set-Cookie: A=a; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Comment by External U.
1553 | October 31, 2016 05:18:52 PM GMT
for empty value cookies we ourselves are adding header in response becuase tomcat adds qoutes in it(bug#CF-3608332) - fixed earlier. But we were only adding only max-age for expiry but IE doesn't respect max-age header so now adding expires header too. @QA: Expires value being set by us in in particular format and in GMT timezone. So we need to check the behavior in different timezones and different App servers.
Comment by Milan C.
1554 | November 10, 2016 06:56:58 AM GMT
This also seems to be happening in CF 11 Update 11. IE will now just set an empty cookie if you use <cfcookie name="nomnom" expires="now" /> If you specify a value it then correctly expires. This means any checks that a cookie exist always pass when using IE as it never gets rid of the cookie. This never happened in CF 11 previous to update 11
Comment by Toby W.
1555 | December 29, 2016 03:16:46 PM GMT