I work in an 'enterprise' environment. Lots and lots of subdomains, with many of them running ColdFusion apps and none of them coordinating. We've run into a problem where app1.foo.bar.com sets CF cookies (CFTOKEN/CFID) on the bar.com domain and app2.foo.bar.com sets cookies on the foo.bar.com domain. The app teams insist on using cookies instead of putting CFTOKEN/CFID in the URL.
As a result, when the browser sends a GET to app2.foo.bar.com, it sends both sets of CF cookies.
Sometimes app2's CF server uses the right set of cookies. Sometimes it uses the wrong set of cookies. When it uses the wrong cookies, it loses session state.
It seems to me like the only fix is to get app1 to set its CF cookies on app1.foo.bar.com domain and app2 to set its CF cookies on app2.foo.bar.com domain. But that only works until somebody starts up a new app on app3.bar.com and sets its CF cookies on bar.com domain.
What can a CF application do to defend itself from another CF app setting CF cookies on a higher-level subdomain? The only thing I can think of is to say that if the app sees 2 sets of CF cookies, clear them all and send the user back to app login to get new CF cookies.
Is there a better approach (while still using cookies)?
Thanks
1
Reply
AdChoices