• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

Domain and subdomain cookie conflicts...

Participant ,
Apr 10, 2014 Apr 10, 2014

Copy link to clipboard

Copied

We run a website on a subdomain (mysite.abc.com) while other parties within our company operate various other websites on the main domain and other subdomains (www.abc.com, anothersite.abc.com, etc.). Our site is ColdFusion-based, as are a few of (but not all of) the other abc.com websites.

We started to encounter recently a problem in which our users key their log in information into our log in page and click submit only to have the page refresh. No failed log in attempt, just a page refresh. I have seen the issue primarily in Firefox, but I believe this is just because our users perfer that browser. I am unable to recreate the problem on my end, but then again I rarely use Firefox and don't often visit the abc.com websites outside of our own.

The only fix that seems to work is to clear the browser's cookies entirely, or if the user objects to that, just the cookies for "abc.com". Doing so lets the user log back into our website (again, at mysite.abc.com) fine. I do not have to clear the cookies for mysite.abc.com, so I'm lead to believe this is a result of the main domain's cookies somehow conflicting with our own.

Any thoughts? Has anyone else experienced this?

EDIT: I haven't had a chance to test which of the main site's cookies is causing this, but I'm assuming it's the CFID/CFTOKEN. I'll know more once another user encounters it, assuming I can spend some time on their computer to do testing, and not have to rush-fix the problem so they can continue working.

Views

3.1K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

Participant , Apr 16, 2014 Apr 16, 2014

The actual fix was simple, just delete the main website's CFID and CFTOKEN cookies first-thing on my log in page, using:

<cfcookie name="cfid" value="" domain=".mysite.com" expires="now">

<cfcookie name="cftoken" value="" domain=".mysite.com" expires="now">

Votes

Translate

Translate
Enthusiast ,
Apr 11, 2014 Apr 11, 2014

Copy link to clipboard

Copied

Application.cfc/Application.cfm

<cfapplication name = "Test"

clientmanagement="No"

sessionmanagement="Yes"

sessiontimeout="#CreateTimeSpan(0,0,5,0)#"

setClientCookies="no"

setDomainCookies="no"

applicationtimeout="#CreateTimeSpan(0,2,0,0)#">

----------------------

Place this code somewhere in the login page

<!--- .mydomain.com cookie is interfering with the subdomain.mydomain.com cookie. So let's clear the mydomain cookie before attempting to login --->

<cfif session.userID IS 0> <!--- if not logged in yet --->

    

    <cfif isDefined("Cookie")>

    <cfset idCount = tokenCount = 0>

   

    <cfloop collection="#cookie#" item="v">

    <cfif v IS "CFID">

    <cfset idCount += 1>

    <cfelseif v IS "CFTOKEN">

    <cfset tokenCount += 1>

    </cfif>

    </cfloop>

    <cfif idCount NEQ tokenCount OR idCount GT 1>

    <cfloop collection="#cookie#" item="v">

    <cfset structDelete(cookie,v)>

    </cfloop>

    <cfif isDefined("session.cfid")>

    <cfcookie name="cfid" value="#session.cfid#" domain=".mydomain.com" expires="now">

    <cfcookie name="cfid" value="#session.cfid#">

    </cfif>

    <cfif isDefined("session.cftoken")>

    <cfcookie name="cftoken" value="#session.cftoken#" domain=".mydomain.com" expires="now">

    <cfcookie name="cftoken" value="#session.cftoken#">

    </cfif>

    <cfelse>

    <cfif isDefined("cookie.cfid") AND isDefined("session.cfid") AND cookie.cfid IS NOT session.cfid>

    <cfcookie name="cfid" value="#session.cfid#" domain=".mydomain.com" expires="now">

    <cfcookie name="cfid" value="#session.cfid#">

    </cfif>

    <cfif isDefined("cookie.cftoken") AND isDefined("session.cftoken") AND cookie.cftoken IS NOT session.cftoken>

    <cfcookie name="cftoken" value="#session.cftoken#" domain=".mydomain.com" expires="now">

    <cfcookie name="cftoken" value="#session.cftoken#">

    </cfif>

    </cfif>

    </cfif>

    </cfif>

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Participant ,
Apr 14, 2014 Apr 14, 2014

Copy link to clipboard

Copied

Hi vishu,

Thanks for this code, I'll give it a try. Forgive my (probably really basic) follow-up questions:

1. So, it seems based on your code sample that you can delete cookies at the parent domain level (mysite.com) from a ColdFusion server hosted on the subdomain level (something.mysite.com). Is this correct?

2. If so, it looks like to do so you just specify domain=".mysite.com" in the cfcookie tag. So, on my CF server (hosted at something.mysite.com) I could clear CFID and CFTOKEN cookies at mysite.com by using:

<cfcookie name="cfid" value="" domain=".mysite.com" expires="now">

<cfcookie name="cftoken" value="" domain=".mysite.com" expires="now">

3. And lastly, I'm trying to figure out where the parent domain's CFID and CFTOKEN values are being created. I don't host those web servers, in fact I'm not even able to find one that runs ColdFusion (though that doesn't mean a CF server at the parent domain doesn't exist somewhere). Is there any way CFID and CFTOKEN values from my site (something.mysite.com) is being set at the parent level (mysite.com)?

Hope these questions make sense.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Participant ,
Apr 15, 2014 Apr 15, 2014

Copy link to clipboard

Copied

Hi vishu,

Disregard - I managed to get it all worked out. I was overthinking it.

Simply clearing the main website's CFID and CFTOKEN cookies first-thing each time my log in page loads resolved the issue.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Apr 16, 2014 Apr 16, 2014

Copy link to clipboard

Copied

Good for you! Please kindly mark your answer as 'correct'. Thanks.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Participant ,
Apr 16, 2014 Apr 16, 2014

Copy link to clipboard

Copied

The actual fix was simple, just delete the main website's CFID and CFTOKEN cookies first-thing on my log in page, using:

<cfcookie name="cfid" value="" domain=".mysite.com" expires="now">

<cfcookie name="cftoken" value="" domain=".mysite.com" expires="now">

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Sep 21, 2021 Sep 21, 2021

Copy link to clipboard

Copied

Thanks for the tip, sadly this does not expire my domain cookies and they remain persistant on Lucee.
Is there another way e.g. using headers to delete cookies?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Sep 21, 2021 Sep 21, 2021

Copy link to clipboard

Copied

LATEST

My first take on this is that you could potentially cause the same problem for other sites setting cookies as you're having now with your site, if you did this. I would suggest using JSESSIONID instead of CFID & CFTOKEN if that's possible. It's usually (but not always) a better option anyway for a variety of reasons.

 

Dave Watts, Eidolon LLC

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation