tracker issue : CF-3182493

select a category, or use search below
(searches all categories and all time range)
Title:

<cfcookie> with no expires attribute managing session (CFID / CFTOKEN) browser only cookies results in persistent cookies

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/

Reporter/Name(from Bugbase): Rob Nikkel / Rob Nikkel (The Whale #4)

Created: 05/04/2012

Components: Security, General

Versions: 10.0

Failure Type:

Found In Build/Fixed In Build: Public Beta / 286333

Priority/Frequency: Major / All users will encounter

Locale/System: English / Windows 7 SP1 64-bit

Vote Count: 1

Problem Description:

Manual management of session cookies (CFID / CFTOKEN) does not work when trying to create session only cookies

Steps to Reproduce:

Add this code to a test page: <cfcookie attributecollection="#{name = 'CFID', httpOnly = true, value = 'bunk', secure = false}#">

Expected Result:

Browser session cookie

Any Workarounds:

Using <cfheader name="set-cookie" value="CFID=bunk;path=/;HTTPOnly">

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	3182493

External Customer Info:
External Company:  
External Customer Name: The Whale #4
External Customer Email:  
External Test Config: My Hardware and Environment details:



Windows 7 64-bit, IIS 7, CF 10 Beta

Attachments:

Comments:

Now you wont be able to delete any of the Session Cookies via cfcookie. You cannot set HTTPOnly to false via cfcookie if the default ist HTTPOnly = true, too. In case you had an environment with CFID and CFTOKEN cookies for all your subdomains e.g. ".example.com" and CF10 automatically sets CFID and CFTOKEN cookies for the current domain "www.example.com" you will have 2 CFID and 2 CFTOKEN cookies and probably wont be able to set up a working session, once this environment exists. Workaround is like said before, to use cfheader to unset any of these cookies: <cfheader name="set-cookie" value="CFID=;path=/;HTTPOnly=false;domain=.example.com;expires=#GetHttpTimeString(DateConvert("local2utc",now()))#">
Comment by External U.
19541 | September 06, 2012 10:27:26 AM GMT
This is one aspect of cookie problems we're seeing with CF10 - this clearly needs engineering attention!
Vote by External U.
19543 | June 03, 2013 05:51:09 PM GMT
using domain-level cookies for CFID/CFToken is generally a very bad idea - CF10 appears to be *forcing* these tokens to be domain-level, with the net effect that a CF10 instance in a domain can be **fatal** to session management on any other CF instances in the entire domain [adobe.com is afflicted by this also]
Comment by External U.
19542 | June 03, 2013 05:53:09 PM GMT