Skip to main content
J
jcelias
Participant
April 24, 2023
Question

How to prevent same CF cookies across subdomains?

  • April 24, 2023
  • 2 replies
  • 755 views
Anyone has run intot this cookies issue?
Imagine I have these 2 subdomains ("www" and "test", as part of the ".foo.com" domain), like this:

test.foo.com
www.foo.com
Im having the issue where If a user logs in into a CF app hosted in one of these doamins it logs the user out of the app on the other domain. This I guess has to do with the CFID and CFTOKEN cookies that get saved on the browser somehow.
I also noticed that there is a setDomainCookies setting for an app in CF, but setting it to true or false does not seem to do anything.
Amy ideas what to do in this case? Is there a way to tell CF that it should handle cookies for one subdomain independently of any other subdomain (or main domain)???
    This topic has been closed for replies.

    2 replies

    D
    Community Expert
    Dave WattsCommunity Expert
    Community Expert
    April 25, 2023

    I suspect this is related to the number of CF instances you have running. If you have one CF instance connected to multiple web sites, you're going to have one CFID and CFTOKEN for each user, regardless of whether they're on site A or site B.

     

    @BKBK is describing a way to overwrite the session values CF automatically sets with custom, slightly modified cookies that will provide separate CFID and CFTOKEN values for each host. I'm not entirely sure that will work exactly as written, but the idea is sound. As you mentioned, you tried to use the setDomainCookies method in the pseudo-constructor in Application.cfc:

     

    <cfset this.setDomainCookies = "false">

     

    But, as you mentioned, this isn't working for you! So, you should be able to just use this.setClientCookies = "false" in Application.cfc's pseudo-constructor, then use the CFCOOKIE tag like this:

     

    <!--- note, no domain listed! the default domain should correspond to the host instead of the domain --->

    <cfcookie name="CFID" value="#Session.CFID#">

    <cfcookie name="CFTOKEN" value="#Session.CFTOKEN#">

     

    I hope this made sense!

     

    Dave Watts, Eidolon LLC

     

     

    Dave Watts, Eidolon LLC
    BKBK
    Community Expert
    BKBKCommunity Expert
    Community Expert
    April 24, 2023

    Check out cfcookie's domain attribute. Try something like domain=".foo.com".

    J
    jceliasAuthor
    Participant
    April 25, 2023

    This doesn't seem to work, since the issue is with the CFID and CFTOKEN cookies which Coldfusion sets behind the scenes for me to maintain session. Is there a way to force Coldfusion to set these on a per-subdomain basis as oposed to on a per-domain-and-wildcard basis???

    BKBK
    Community Expert
    BKBKCommunity Expert
    Community Expert
    April 25, 2023

    I suspect that you misunderstood what I meant. Perhaps because I didn't explain in detail.

     

    What I meant was, you should actually use the domain attribute when setting the CFID and CFTOKEN cookies. Something like

    <!--- NB: the value of the domain must begin with a dot ...>
<cfif structKeyExists(session, "cfid")>
    <cfcookie name="cfid" value="#session.cfid#" domain=".foo.com">
</cfif>

<cfif structKeyExists(session, "cftoken")>
    <cfcookie name="cftoken" value="#session.cftoken#" domain=".foo.com">
</cfif>

     

    That was just an example to illustrate. You should tailor your own code to what you want to achieve.

     

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices