Copy link to clipboard
Copied
We run a website on a subdomain (mysite.abc.com) while other parties within our company operate various other websites on the main domain and other subdomains (www.abc.com, anothersite.abc.com, etc.). Our site is ColdFusion-based, as are a few of (but not all of) the other abc.com websites.
We started to encounter recently a problem in which our users key their log in information into our log in page and click submit only to have the page refresh. No failed log in attempt, just a page refresh. I have seen the issue primarily in Firefox, but I believe this is just because our users perfer that browser. I am unable to recreate the problem on my end, but then again I rarely use Firefox and don't often visit the abc.com websites outside of our own.
The only fix that seems to work is to clear the browser's cookies entirely, or if the user objects to that, just the cookies for "abc.com". Doing so lets the user log back into our website (again, at mysite.abc.com) fine. I do not have to clear the cookies for mysite.abc.com, so I'm lead to believe this is a result of the main domain's cookies somehow conflicting with our own.
Any thoughts? Has anyone else experienced this?
EDIT: I haven't had a chance to test which of the main site's cookies is causing this, but I'm assuming it's the CFID/CFTOKEN. I'll know more once another user encounters it, assuming I can spend some time on their computer to do testing, and not have to rush-fix the problem so they can continue working.
The actual fix was simple, just delete the main website's CFID and CFTOKEN cookies first-thing on my log in page, using:
<cfcookie name="cfid" value="" domain=".mysite.com" expires="now">
<cfcookie name="cftoken" value="" domain=".mysite.com" expires="now">
Copy link to clipboard
Copied
Application.cfc/Application.cfm
<cfapplication name = "Test"
clientmanagement="No"
sessionmanagement="Yes"
sessiontimeout="#CreateTimeSpan(0,0,5,0)#"
setClientCookies="no"
setDomainCookies="no"
applicationtimeout="#CreateTimeSpan(0,2,0,0)#">
----------------------
Place this code somewhere in the login page
<!--- .mydomain.com cookie is interfering with the subdomain.mydomain.com cookie. So let's clear the mydomain cookie before attempting to login --->
<cfif session.userID IS 0> <!--- if not logged in yet --->
<cfif isDefined("Cookie")>
<cfset idCount = tokenCount = 0>
<cfloop collection="#cookie#" item="v">
<cfif v IS "CFID">
<cfset idCount += 1>
<cfelseif v IS "CFTOKEN">
<cfset tokenCount += 1>
</cfif>
</cfloop>
<cfif idCount NEQ tokenCount OR idCount GT 1>
<cfloop collection="#cookie#" item="v">
<cfset structDelete(cookie,v)>
</cfloop>
<cfif isDefined("session.cfid")>
<cfcookie name="cfid" value="#session.cfid#" domain=".mydomain.com" expires="now">
<cfcookie name="cfid" value="#session.cfid#">
</cfif>
<cfif isDefined("session.cftoken")>
<cfcookie name="cftoken" value="#session.cftoken#" domain=".mydomain.com" expires="now">
<cfcookie name="cftoken" value="#session.cftoken#">
</cfif>
<cfelse>
<cfif isDefined("cookie.cfid") AND isDefined("session.cfid") AND cookie.cfid IS NOT session.cfid>
<cfcookie name="cfid" value="#session.cfid#" domain=".mydomain.com" expires="now">
<cfcookie name="cfid" value="#session.cfid#">
</cfif>
<cfif isDefined("cookie.cftoken") AND isDefined("session.cftoken") AND cookie.cftoken IS NOT session.cftoken>
<cfcookie name="cftoken" value="#session.cftoken#" domain=".mydomain.com" expires="now">
<cfcookie name="cftoken" value="#session.cftoken#">
</cfif>
</cfif>
</cfif>
</cfif>
Copy link to clipboard
Copied
Hi vishu,
Thanks for this code, I'll give it a try. Forgive my (probably really basic) follow-up questions:
1. So, it seems based on your code sample that you can delete cookies at the parent domain level (mysite.com) from a ColdFusion server hosted on the subdomain level (something.mysite.com). Is this correct?
2. If so, it looks like to do so you just specify domain=".mysite.com" in the cfcookie tag. So, on my CF server (hosted at something.mysite.com) I could clear CFID and CFTOKEN cookies at mysite.com by using:
<cfcookie name="cfid" value="" domain=".mysite.com" expires="now">
<cfcookie name="cftoken" value="" domain=".mysite.com" expires="now">
3. And lastly, I'm trying to figure out where the parent domain's CFID and CFTOKEN values are being created. I don't host those web servers, in fact I'm not even able to find one that runs ColdFusion (though that doesn't mean a CF server at the parent domain doesn't exist somewhere). Is there any way CFID and CFTOKEN values from my site (something.mysite.com) is being set at the parent level (mysite.com)?
Hope these questions make sense.
Copy link to clipboard
Copied
Hi vishu,
Disregard - I managed to get it all worked out. I was overthinking it.
Simply clearing the main website's CFID and CFTOKEN cookies first-thing each time my log in page loads resolved the issue.
Copy link to clipboard
Copied
Good for you! Please kindly mark your answer as 'correct'. Thanks.
Copy link to clipboard
Copied
The actual fix was simple, just delete the main website's CFID and CFTOKEN cookies first-thing on my log in page, using:
<cfcookie name="cfid" value="" domain=".mysite.com" expires="now">
<cfcookie name="cftoken" value="" domain=".mysite.com" expires="now">
Copy link to clipboard
Copied
Thanks for the tip, sadly this does not expire my domain cookies and they remain persistant on Lucee.
Is there another way e.g. using headers to delete cookies?
Copy link to clipboard
Copied
My first take on this is that you could potentially cause the same problem for other sites setting cookies as you're having now with your site, if you did this. I would suggest using JSESSIONID instead of CFID & CFTOKEN if that's possible. It's usually (but not always) a better option anyway for a variety of reasons.
Dave Watts, Eidolon LLC