Status/Resolution/Reason: To Fix//BugVerified
Reporter/Name(from Bugbase): Charlie A. / ()
Created: 12/18/2019
Components: Documentation, General
Versions: 2018
Failure Type:
Found In Build/Fixed In Build: n/a /
Priority/Frequency: Normal /
Locale/System: / Win 2016
Vote Count: 0
There is a page discussing how session cookies work, which has a few errors, some significant, and some clear opportunities for improvement.
And while it's labeled as being about CF10, is just as important for those using later versions of CF, as some of its topics are not discussed elsewhere. The page is https://helpx.adobe.com/coldfusion/developing-applications/developing-cfml-applications/securing-applications/security-enhancements-in-coldfusion-10.html.
1) In its example showing setting a struct of session cookie settings, the code SETS and then uses a variable called cookieast, but it also shows uses one called as cookiest, which it never sets. It seems the intent was to have the names mean "cookie struct" and "cookie auth struct", but only one is defined. There's also no discussion above this point of what authcookie or authorization cookies is about.
2) Along the same lines, there is later a discussion of the available this.sessioncoookie keys, which ends with this.authcookie.timeout. Again, it's not clear why it mentions that authcookie in a discussion of sessioncookies.
Then again, it shows it as:
this.authcookie.timeout= "value"(-1 by default. Cookie is valid until the browser is open.)
Note that the phrase "until the browser is open" is wrong. It should be "until the browser is closed".
3) Note that nowhere on the page does not mention that this option of -1 (for "value until browser close") applies to the sessioncookie.timeout as well.
4) The box after that bulleted list says:
"Note: You can define the SetDomainCookies property and set session cookies for domain at application and server level. In this case, the precedence is as follows: application settings, server settings, and the SetDomianCookies property."
First, there is no mention to this point on that page what setdomaincookies would be referring to. There was only this.sessioncookie.domain.
Second, and more important, the "precedence" listed seems wrong. Nowhere else do server settings override application settings.
Indeed, the "note" after the code about #cookiest# above (used in cfapplication) says instead, "Note: The application level setting takes precedence over the server level setting."
5) And notice how that discussion of controlling things in application.cfc separated from the discussion above it about controlling things in application.cfm, by a discussion of doing things at the adminapi. It should instead show use of application.cfm and cfc (perhaps even reversing that order) and THEN the adminap, if the thinking is that the focus is on what developers can do more typically (in their apps).
6) That said, and finally, there is a note after that saying this:
"Note: Using CFCookie and CFHeader tags to manipulate ColdFusion cookie and authorization cookie can be controlled in application or server level configuration. Add the following in application.cfc or application.cfm: sessioncookie.disableupdate=true and authcookie.disableupdate=true. You can also use the following methods in the CFIDE\adminapi\runtime.cfc: GetRuntimeProperty("CFInternalCookieDisableUpdate") and {{SetRuntimeProperty("CFInternalCookieDisableUpdate", "true/false")}}To set the tags in the ColdFusion administrator, go Server Settings > Memory Variables > Session Cookies Settings. Select or deselect "Disable Updating ColdFusion internal cookies using ColdFusion Tags\Function .""
First, the initial sentence there should say clarify "ColdFusion session cookie" not just "ColdFusion cookie" (like it then says about "authorization cookie").
Second, it should clarify that the server settings take precedence, and then it should logically show those first in that paragraph (the Admin option that is now listed last above) and then the Admin API listed currently before that. THEN the application approach should be listed (and show "true or false", just like the other sentences in this note show true or false, letting the user know they can choose how to control things.)
Third, the final sentence in that note starts, "To set the tags in the ColdFusion administrator". It should instead say "To control manipulation of the session/authorization cookies in the ColdFusion administrator"Attachments:
Comments: