CFID and CFTOKEN cookies are set for each path in my site

Report · Jan 13, 2012

I have session management turned on for my site, and I've noticed that every time I browse to a new directory in my site (for example from mysite.com to mysite.com/myfolder) I get an additional pair of session cookies.

When I view my cookies in chrome, I get something like:

Name	Value	Domain	Path
CFID	11188	mydomain.com	/
CFTOKEN	3810856	mydomain.com	/
CFID	11188	mydomain.com	/myfolder
CFTOKEN	3810856	mydomain.com	/myfolder

So, this extra pair of CFID/CFTOKEN cookies gets set for every different path I click into as I'm browsing my site.

Is this normal?

It doesn't seem correct to me, is there any way to fix it?

Thanks.

Report · Jan 13, 2012

It is not supposed to work that way. The only time I have ever seen that is when cookies are being set manually (usually inside of App.cfc's onSessionStart). The first question I would have is, are you setting cookies manually?

I would also be curious to know if you have an App.cfc in that subfolder. I don't think that having anApp.cfc in there ould cause that, but I thought it would be worth investigating.

Jason

Report · Jan 13, 2012

No, I'm not setting them manually as far as I know.

It's a fairly old app that we are redesigning the front end for, so I'm still using application.cfm.

I set up session management like this:

Report · Jan 13, 2012

Searcg the code base for <cfcookie and see what you find.

Report · Jan 13, 2012

Nothing comes up.

I'm wondering if it's a server setting?

I have CF9 set up on a testing server. Maybe there's something in the admin?

Thanks so much for the prompt reply!

Report · Jan 17, 2012

You could also try searching for <cfheader>, that is another way to manually set cookies. Or search for the string "SET_COOKIE".

Report · Jan 17, 2012

That was it. I did a search for CFHEADER and it turned out that portcullis.cfc was using it to check through the cookies. I disabled portcullis and it fixed the problem. So now I'll either have to debug that cfc or find another XSS solution...

Thanks.

Report · Jan 17, 2012

Glad we figured it out.

Report · Oct 11, 2012

Hi

I just had the same problem with portcullis and am curious to know whether you were able to find a solution to the problem?

Thanks in advance,

Report · Jan 17, 2012

I just noticed that in your example above that the two CFID and two CFTOKEN cookies share the same value. THis is another indication that the cookies are being set manually. If CF was creating new cookies by it's normal means, it would create new session tokens and create new sessions.

Report · Jan 13, 2012

You have, of course, made sure that your browser is properly keeping and returning the cookies being set to it?

This is the behaviour that will happen if ColdFusion does not get a cookie returned from the brower, it will generate new ones, each and every page that such cookies are expected by ColdFusion.

Report · Jan 13, 2012

Yup, everything looks fine on the browser end. The same thing happens in Firefox, Chrome, and Safari. All three are set to accept cookies and I can view my cookies in each one. In fact, this is one of the ways I noticed that all these duplicate cookies were being set.

Could it be that CF is confused by the domain of my testing server? It seems to think each new path requires a new set of cookies.

Report · Jan 13, 2012

The thing is that CF *always* uses the default path "/" when it sets cookies unless explicitly told otherwise using the path attribute in <cfcookie />. If it is setting cookies with the path set to anything other than "/" then it leads me to believe that something is explictly setting the cookie.

To my knowledge there is no setting in the administrator that would change this behavior (I've been wrong before though).

Jason

Report · Jan 17, 2012

Maybe this is a CF9 bug?

Report · Jan 17, 2012

I doubt it. Works fine for me.

CFID and CFTOKEN cookies are set for each path in my site

1 Correct answer