Skip to main content
A
Anonymous
March 19, 2013
Question

Session domain cookies interfering with subdomain cookies

  • March 19, 2013
  • 2 replies
  • 3009 views

We are upgrading to IIS7/CF10 from IIS6/CF7. We run several subdomains and CFID/CFTOKEN cookies issued by the domain are taking precedence over the subdomain cookies we're issuing. The result is that users are getting a new session on every request. I can clear the domain cookies and everything works fine. Ironically, the main domain is no longer using CFID/CFTOKEN and have switched to using JSESSIONID. That's great because we would no longer have a conflict with them, but the users can't seem to clear their domain cookies because of security settings on their internal network workstations.

Is there some way to force CF to request only the subdomain cookies and ignore the domain cookies, or is this an IIS7 issue?

    This topic has been closed for replies.

    2 replies

    vishu_13
    vishu_13
    Inspiring
    April 11, 2014

    Asume that there is a login page then you can place the code mentioned below in that page.

    <!--- .mydomain.com cookie is interfering with the subdomain.mydomain.com cookie. So let's clear the mydomain cookie before attempting to login --->

    <cfif session.userID IS 0> <!--- if not logged in yet --->

        

        <cfif isDefined("Cookie")>

        <cfset idCount = tokenCount = 0>

       

        <cfloop collection="#cookie#" item="v">

        <cfif v IS "CFID">

        <cfset idCount += 1>

        <cfelseif v IS "CFTOKEN">

        <cfset tokenCount += 1>

        </cfif>

        </cfloop>

        <cfif idCount NEQ tokenCount OR idCount GT 1>

        <cfloop collection="#cookie#" item="v">

        <cfset structDelete(cookie,v)>

        </cfloop>

        <cfif isDefined("session.cfid")>

        <cfcookie name="cfid" value="#session.cfid#" domain=".mydomain.com" expires="now">

        <cfcookie name="cfid" value="#session.cfid#">

        </cfif>

        <cfif isDefined("session.cftoken")>

        <cfcookie name="cftoken" value="#session.cftoken#" domain=".mydomain.com" expires="now">

        <cfcookie name="cftoken" value="#session.cftoken#">

        </cfif>

        <cfelse>

        <cfif isDefined("cookie.cfid") AND isDefined("session.cfid") AND cookie.cfid IS NOT session.cfid>

        <cfcookie name="cfid" value="#session.cfid#" domain=".mydomain.com" expires="now">

        <cfcookie name="cfid" value="#session.cfid#">

        </cfif>

        <cfif isDefined("cookie.cftoken") AND isDefined("session.cftoken") AND cookie.cftoken IS NOT session.cftoken>

        <cfcookie name="cftoken" value="#session.cftoken#" domain=".mydomain.com" expires="now">

        <cfcookie name="cftoken" value="#session.cftoken#">

        </cfif>

        </cfif>

        </cfif>

        </cfif>

    A
    Anonymous
    April 11, 2014

    No, I never found an answer to my problem. The organization is so large we've never figured out who is issuing the domain cookies from their site. The only solution was to ask users who were having issues with it to clear their cookies. Of course group policy was set not to delete domain cookies, so we have to have them run this vbscript:

    dim result,answer

    Set WshShell = WScript.CreateObject("WSCript.shell")

    Set objExplorer = CreateObject("InternetExplorer.Application")

    answer = MsgBox("Selecting YES to delete your cookies or NO to cancel.",vbYesNo,"Delete Cookies")

    If answer = vbYes Then

        result = WshShell.run ("C:\Windows\System32\rundll32.exe InetCpl.cpl,ClearMyTracksByProcess 255",1,TRUE)

        WScript.echo "Your history has been deleted"

    End If

    We just link it in a zip file on the login page. Some users don't have permission to run it so they have to contact support to have someone run it for them. It's been a huge pain, but I haven't figured out how else to deal with the issue.

    I will test your suggestion. I'm 99% sure I tried something like this to get rid of any domain cookies, but nothing I did on my end would get rid of them. It's been a while so I'll try it again.

    E
    eyemkent
    Participant
    March 28, 2013

    I am running into the same issue. Any chance you found a solution?

    U
    ursarob
    Participant
    March 28, 2013

    Sorry, I haven't found any way to fix the issue. Another tech wrote a vbscript that the users can run to clear their cookies (clearHistory.vbs):

    dim result,answer

    Set WshShell = WScript.CreateObject("WSCript.shell")

    Set objExplorer = CreateObject("InternetExplorer.Application")

    answer = MsgBox("Selecting YES to delete your cookies or NO to cancel.",vbYesNo,"Delete Cookies")

    If answer = vbYes Then

        result = WshShell.run ("C:\Windows\System32\rundll32.exe InetCpl.cpl,ClearMyTracksByProcess 255",1,TRUE)

        WScript.echo "Your history has been deleted"

    End If

    I tried writing code that would expire/delete the domain cookies, but the browser is just ignoring me so I don't know what else I can do.

    E
    eyemkent
    Participant
    March 28, 2013

    Thanks a lot for the reply.

    You are setting the specific domain in the cfcookie attribute, right?

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices