tracker issue : CF-4204632

select a category, or use search below
(searches all categories and all time range)
Title:

Invalid Set-Cookie Header Date Format

| View in Tracker

Status/Resolution/Reason: To Fix//BugVerified

Reporter/Name(from Bugbase): James M. / ()

Created: 06/26/2019

Components: Language, Cookie

Versions: 2016,2018

Failure Type: Enhancement Request

Found In Build/Fixed In Build: 2016.0.11.314546 /

Priority/Frequency: Normal / Unknown

Locale/System: English / Win 2016

Vote Count: 0

Problem Description: I was testing my website using webhint.io and received a security recommendation regarding cookie expiration dates.  Apparently an expiration date using UTC/GMT format is required by cookies.  Instead of "Thu, 11 Jul 2019 22:43:23 GMT", the date generated by ColdFusion is formatted with dashes "Thu, 11-Jul-2019 22:43:23 GMT".  Compare the date format by visiting any GitHub repository and viewing the "Set-Cookie" headers (expires=Wed, 10 Jul 2019 23:03:10 -0000)   While comparing, I noticed that GitHub cookie headers are all lowercase while CF-generated headers use title-case.

Steps to Reproduce:
<CFCOOKIE name="TestCookie" value="#Now()#" expires="15">

Actual Result:
(View F12 Web Developer Tools - Network Panel)
Expires=Thu, 11-Jul-2019 22:43:23 GMT 
(with dashes in the date format)

Expected Result:
expires=Thu, 11 Jul 2019 22:43:23 GMT 
( a valid UTC/GMT date format)

Any Workarounds:
None.

Attachments:

Comments:

GetHttpTimeString(now()) returns something that looks like "Thu, 27 Jun 2019 16:05:25 GMT". CFCookie "expires" values should use the same UTC format.
Comment by James M.
30961 | June 27, 2019 04:07:06 PM GMT
Update received via email on 7/9/2019: Target Version updated to 'Alpha' Version updated to '13.0' Does the above status update indicate that this won't actually get fixed for CF2016?
Comment by James M.
31011 | July 10, 2019 03:56:07 PM GMT
I noticed that CF2016u12 (released on 24 Sep, 2019) didn't have a fix for this. QUESTION: Will this be updated in CF2016? Or will this update only find it's way into CF2020? (Is that what "Alpha" is?) As a work around, I'm using this CFTag. It additionally supports "samesite" and provides support to older versions of ColdFusion. https://gamesover2600.tumblr.com/post/188744661844/coldfusion-setcookie-udf-supports-samesite (NOTE: It generates 2 cookies so that 1) the CF "cookie" scope is updated and 2) the cookie is sent in a valid manner to the browser.)
Comment by James M.
31765 | November 04, 2019 03:27:34 PM GMT