tracker issue : CF-3040371

select a category, or use search below
(searches all categories and all time range)
Title:

Bug 80536:In 8

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/

Reporter/Name(from Bugbase): Andrew O / Andrew O (Andrew O)

Created: 10/31/2009

Components: Core Runtime, Session Management

Versions: 9.0

Failure Type: Unspecified

Found In Build/Fixed In Build: 0000 / 257528

Priority/Frequency: Major / Most users will encounter

Locale/System: English / Win All

Vote Count: 0

Problem:

In 8.0.1, Breaking behaviour in sessions when security hotfix HF801-1875.jar applied, when using sessionmanagement with clientcookies and clientmanagement off. Haven't got time to reproduce this in CF9 yet.Run the following cfms in Steps to Reproduce, from Foo.cfm, navigate to Bar.cfm to Too.cfm, with and without the patch.Before the patch - the CFID and CFTOKEN is preserved across all 3 cfms, using sessionmanagement and passing the URLToken via URL. Any cookies from CFID and CFTOKEN is ignored.After the patch - the CFID and CFTOKEN changes for every page when the cookie is set with a CFID or CFTOKEN = blank, the session cannot be stored and session variables are not preserved, even when the URL passes it in properly and SETCLIENTCOOKIES is set to No.Why this is important?For 99% of the time this does not cause a problem, but some browsers seem to not behave when we set <CFCOOKIE NAME=cfid EXPIRES=NOW>. While most browsers remove the cookie, some however leave the cookie there with a blank value. This cause the session in the next page not to be able to stick and sessionmanagement to fail.
Method:

foo.cfm:<cfapplication NAME="foobar" CLIENTMANAGEMENT=No SETCLIENTCOOKIES=No SESSIONMANAGEMENT=Yes><h3>Foo..</h3><cfcookie NAME=CFID VALUE=""><cfcookie NAME=CFTOKEN VALUE=""><CFDUMP VAR=#SESSION#><CFDUMP VAR=#COOKIE#><CFOUTPUT><br><a href="bar.cfm?oldsession=#URLEncodedFormat(SerializeJSON(SESSION))#&#SESSION.URLTOKEN#">Click here for BAR</a></CFOUTPUT>bar.cfm:<cfapplication NAME="foobar" CLIENTMANAGEMENT=No SETCLIENTCOOKIES=No SESSIONMANAGEMENT=Yes><h3>...Bar!</h3><u>Old Session:</u><br><CFDUMP VAR=#DeserializeJSON(URL.oldsession)#><u>New Session:</u><br><CFSET SESSION.TEST = "Abcde"><CFDUMP VAR=#SESSION#><CFDUMP VAR=#COOKIE#><CFOUTPUT><br><a href="too.cfm?#SESSION.URLTOKEN#">Click here for TOO</a></CFOUTPUT>too.cfm:<cfapplication NAME="foobar" CLIENTMANAGEMENT=No SETCLIENTCOOKIES=No SESSIONMANAGEMENT=Yes><h3>...Too!</h3><u>Current Session:</u><br><CFDUMP VAR=#session#><CFDUMP VAR=#cookie#><a href="foo.cfm">Click here for FOO</a><br><br>
Result:

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	3040371

External Customer Info:
External Company:  
External Customer Name: Andrew O
External Customer Email: 217D28CC45BB037A992015A9
External Test Config: 10/31/2009

Attachments:

Comments: