Skip to main content
J
jeremy1
Inspiring
January 13, 2012
Answered

CFID and CFTOKEN cookies are set for each path in my site

  • January 13, 2012
  • 2 replies
  • 16574 views

I have session management turned on for my site, and I've noticed that every time I browse to a new directory in my site (for example from mysite.com to mysite.com/myfolder) I get an additional pair of session cookies.

When I view my cookies in chrome, I get something like:

NameValueDomainPath
CFID11188mydomain.com/
CFTOKEN3810856mydomain.com/
CFID11188mydomain.com/myfolder
CFTOKEN3810856mydomain.com/myfolder

So, this extra pair of CFID/CFTOKEN cookies gets set for every different path I click into as I'm browsing my site.

Is this normal?

It doesn't seem correct to me, is there any way to fix it?

Thanks.

This topic has been closed for replies.
Correct answer 12Robots

Nothing comes up.

I'm wondering if it's a server setting?

I have CF9 set up on a testing server. Maybe there's something in the admin?

Thanks so much for the prompt reply!


You could also try searching for <cfheader>, that is another way to manually set cookies. Or search for the string "SET_COOKIE".

2 replies

ilssac
ilssac
Inspiring
January 13, 2012

You have, of course, made sure that your browser is properly keeping and returning the cookies being set to it?

This is the behaviour that will happen if ColdFusion does not get a cookie returned from the brower, it will generate new ones, each and every page that such cookies are expected by ColdFusion.

J
jeremy1Author
Inspiring
January 13, 2012

Yup, everything looks fine on the browser end. The same thing happens in Firefox, Chrome, and Safari. All three are set to accept cookies and I can view my cookies in each one. In fact, this is one of the ways I noticed that all these duplicate cookies were being set.

Could it be that CF is confused by the domain of my testing server? It seems to think each new path requires a new set of cookies.

12Robots
12Robots
Participating Frequently
January 14, 2012

The thing is that CF *always* uses the default path "/" when it sets cookies unless explicitly told otherwise using the path attribute in <cfcookie />.  If it is setting cookies with the path set to anything other than "/" then it leads me to believe that something is explictly setting the cookie.

To my knowledge there is no setting in the administrator that would change this behavior (I've been wrong before though).

Jason

12Robots
12Robots
Participating Frequently
January 13, 2012

It is not supposed to work that way. The only time I have ever seen that is when cookies are being set manually (usually inside of App.cfc's onSessionStart). The first question I would have is, are you setting cookies manually?

I would also be curious to know if you have an App.cfc in that subfolder.  I don't think that having anApp.cfc in there ould cause that, but I thought it would be worth investigating.

Jason

J
jeremy1Author
Inspiring
January 13, 2012

No, I'm not setting them manually as far as I know.

It's a fairly old app that we are redesigning the front end for, so I'm still using application.cfm.

I set up session management like this:

<CFAPPLICATION name="mysite" sessionmanagement="Yes" sessiontimeout="#CreateTimeSpan(1,0,0,0)#">

J
jeremy1Author
Inspiring
January 17, 2012

You could also try searching for <cfheader>, that is another way to manually set cookies. Or search for the string "SET_COOKIE".


That was it. I did a search for CFHEADER and it turned out that portcullis.cfc was using it to check through the cookies. I disabled portcullis and it fixed the problem. So now I'll either have to debug that cfc or find another XSS solution...

Thanks.

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices