Status/Resolution/Reason: To Fix//BugVerified
Reporter/Name(from Bugbase): Charlie A. / ()
Created: 12/18/2019
Components: Documentation, General
Versions: 2016
Failure Type:
Found In Build/Fixed In Build: n/a /
Priority/Frequency: Normal /
Locale/System: / Win 2016
Vote Count: 0
There are a few issues in the docs regarding sessioncookie and authcookie settings, both about how those can be set in code, and how they can be set in the admin. Especially egregious is the lack of clarity on how the sessioncookie.timeout can be set to -1, causing the cfide/cftoken cookies to be set to expire on browser close.
1) First, in the page on application-level settings (https://helpx.adobe.com/coldfusion/cfml-reference/application-cfc-reference/application-variables.html), there are a few opps for improvement.
2) in the discussion of authcookie.timeout, it shows this:
authcookie.timeout -1 Auth Cookie age in days.
There is no indication of what -1 means, which is "until the browser is closed" (as indicated in https://helpx.adobe.com/coldfusion/developing-applications/developing-cfml-applications/securing-applications/security-enhancements-in-coldfusion-10.html, though currently that says "until the browser is open", which is wrong and for which I opened another ticket.)
And technically, it's not until the browser is closed but until all windows of the browser are closed (working similarly to how the jsessionid cookie of J2EE sessions works). Further, the doc should indicate how to the browser such a cookie is called a "session" cookie, as is shown in the developer tools of modern browsers. I appreciate that the term "session cookie" can be confusing as it's about how the BROWSER regards it, in a page discussion "session cookies" that CF sets.
3) Next, in the discussion of sessioncookie.timeout:
sessioncookie.timeout 30 years Session Cookie age in days
Note that there is no indication here of how this ALSO can take a value of -1, to enable such a cookie that terminates on browser close (a "session cookie"). This is very important as most people presume CF session cookies ALWAYS must have some positive age, either very long (the default) or very short), while 0 is not acceptable. They need to be told here that -1 is acceptable.
4) Related to all this, the doc for the CF Admin page about "memory variables", and the settings at the bottom about "session cookie settings" makes no mention of this option to set this to -1, though it is indeed supported.
See the paltry discussion at https://helpx.adobe.com/coldfusion/configuring-administering/using-the-coldfusion-administrator.html#ServerSettingssection. It's also not discussed in the other docs that refer to this page: https://helpx.adobe.com/coldfusion/developing-applications/developing-cfml-applications/using-persistent-data-and-locking/configuring-and-using-session-variables.html and https://helpx.adobe.com/coldfusion/developing-applications/developing-cfml-applications/using-persistent-data-and-locking/managing-the-client-state.html, or https://helpx.adobe.com/coldfusion/kb/difference-coldfusion-j2ee-session-management.html.
5) In fact, that last page carries on the misinformation that only j2ee sessions can end on browser close!
6) Finally, I will note that a search via the Adobe site search feature (shown on all docs pages) will NOT find this page, if one does a search for the phrase sessioncookie (trying to find docs on it).
The first page above is not found in such a search because all the references there have a period after that word, as in sessioncookie.timeout.
It would be helpful to find a way to add a discussion on the first page above to mention sessioncookie as a word on its own, so that the search will find this page. And same for the authcookie phrase, as these phrases appear in only one other doc page (and that is a page discussing improvements in CF10).Attachments:
Comments: