Domain and subdomain cookie conflicts...

Report · Apr 10, 2014

We run a website on a subdomain (mysite.abc.com) while other parties within our company operate various other websites on the main domain and other subdomains (www.abc.com, anothersite.abc.com, etc.). Our site is ColdFusion-based, as are a few of (but not all of) the other abc.com websites.

We started to encounter recently a problem in which our users key their log in information into our log in page and click submit only to have the page refresh. No failed log in attempt, just a page refresh. I have seen the issue primarily in Firefox, but I believe this is just because our users perfer that browser. I am unable to recreate the problem on my end, but then again I rarely use Firefox and don't often visit the abc.com websites outside of our own.

The only fix that seems to work is to clear the browser's cookies entirely, or if the user objects to that, just the cookies for "abc.com". Doing so lets the user log back into our website (again, at mysite.abc.com) fine. I do not have to clear the cookies for mysite.abc.com, so I'm lead to believe this is a result of the main domain's cookies somehow conflicting with our own.

Any thoughts? Has anyone else experienced this?

EDIT: I haven't had a chance to test which of the main site's cookies is causing this, but I'm assuming it's the CFID/CFTOKEN. I'll know more once another user encounters it, assuming I can spend some time on their computer to do testing, and not have to rush-fix the problem so they can continue working.

Report · Apr 11, 2014

Application.cfc/Application.cfm

<cfapplication name = "Test"

clientmanagement="No"

sessionmanagement="Yes"

sessiontimeout="#CreateTimeSpan(0,0,5,0)#"

setClientCookies="no"

setDomainCookies="no"

applicationtimeout="#CreateTimeSpan(0,2,0,0)#">

----------------------

Place this code somewhere in the login page

</cfif>

</cfloop>

</cfloop>

</cfif>

</cfif>

</cfif>

</cfif>

Report · Apr 14, 2014

Hi vishu,

Thanks for this code, I'll give it a try. Forgive my (probably really basic) follow-up questions:

1. So, it seems based on your code sample that you can delete cookies at the parent domain level (mysite.com) from a ColdFusion server hosted on the subdomain level (something.mysite.com). Is this correct?

2. If so, it looks like to do so you just specify domain=".mysite.com" in the cfcookie tag. So, on my CF server (hosted at something.mysite.com) I could clear CFID and CFTOKEN cookies at mysite.com by using:

3. And lastly, I'm trying to figure out where the parent domain's CFID and CFTOKEN values are being created. I don't host those web servers, in fact I'm not even able to find one that runs ColdFusion (though that doesn't mean a CF server at the parent domain doesn't exist somewhere). Is there any way CFID and CFTOKEN values from my site (something.mysite.com) is being set at the parent level (mysite.com)?

Hope these questions make sense.

Report · Apr 15, 2014

Hi vishu,

Disregard - I managed to get it all worked out. I was overthinking it.

Simply clearing the main website's CFID and CFTOKEN cookies first-thing each time my log in page loads resolved the issue.

Report · Apr 16, 2014

Good for you! Please kindly mark your answer as 'correct'. Thanks.

Report · Apr 16, 2014

The actual fix was simple, just delete the main website's CFID and CFTOKEN cookies first-thing on my log in page, using:

Report · Sep 21, 2021

Thanks for the tip, sadly this does not expire my domain cookies and they remain persistant on Lucee.
Is there another way e.g. using headers to delete cookies?

Report · Sep 21, 2021

My first take on this is that you could potentially cause the same problem for other sites setting cookies as you're having now with your site, if you did this. I would suggest using JSESSIONID instead of CFID & CFTOKEN if that's possible. It's usually (but not always) a better option anyway for a variety of reasons.

Dave Watts, Eidolon LLC

Adobe Community

Domain and subdomain cookie conflicts...

1 Correct answer