Setting partition with cfcookie

Hello,

With Chrome's 3rd-party cookie changes, I haven't been able to find anything about adding a partition attr/state with cfcookie. Am I not looking in the right place or I missing something? Any insight would be much appreciated!

 

Right now, I'm using cfheader to set that, but there are some instances (mainly iframes) where I would like to set them and immediately have CF access it . 

 

Working Example: <cfheader name="Set-Cookie" value="__Host-testCookie=; Expires=Thur, 29 Feb 2024 00:00:00 GMT; Path=/; Secure; SameSite=None; Partitioned;">

 

- https://helpx.adobe.com/coldfusion/cfml-reference/coldfusion-tags/tags-c/cfcookie.html

- https://developers.google.com/privacy-sandbox/3pcd/access

- https://developer.mozilla.org/en-US/docs/Web/Privacy/Privacy_sandbox/Partitioned_cookies

 

Same thing I found about it

ColdFusion does not have native support for setting the "Partitioned" attribute/state for cookies using the <cfcookie> tag. The <cfcookie> tag primarily allows you to set basic attributes such as name, value, expires, path, domain, secure, and httpOnly.

However, you can continue using <cfheader> to set cookies with the "Partitioned" attribute, as you've shown in your example. While this method works, it might not be as convenient as directly setting it with <cfcookie>.

If you're looking for a more seamless way to handle setting partitioned cookies, you might consider creating a custom ColdFusion function or component that encapsulates the logic for setting cookies with the "Partitioned" attribute. This would allow you to abstract away the details of using <cfheader> and make it easier to use within your codebase, including in iframes or other contexts where you need immediate access to the cookies.

Alternatively, you can explore using JavaScript to set cookies with the "Partitioned" attribute on the client side, but this approach might not be suitable if you require server-side access to the cookies immediately.

As browser cookie policies evolve, it's important to stay updated with the latest documentation and best practices for managing cookies in your applications. Keep an eye on ColdFusion updates and community discussions for any new features or enhancements related to cookie management.

[Disclaimer: I'm testing using CF2016u17 & Edge Dev]  I attempted to set a CFCookie along with CFHeader.  In the past, 2 cookies with the same name would result in CFHeader overwriting CFCookie since it occurs after, but I noticed that the "__Host-" prefixed cookies were duplicated (rather than overwritten).

WARNING:  The browser dev console confirms two (2) cookies exist with the same exact name with the only difference is that CFHeader version has a "partitioned" flag set.  Using CFDump displays both of these cookies with the same name. (Kinda odd; struct keys are usually unique.) If this happens in production, what's the workaround?  I noticed that updates to the CFHeader version of the cookie wouldn't be reflected when dumping cookie["__Host-TEST"] that only the first declared cookie (in the HTTP request) with the same name in the header is returned as the value.

After manually deleting the CFHeader cookie (w/partitioned flag) using browser dev tools, any attempt to expire the CF-created "__host-" cookie using CFCookie doesn't appear to do anything. A CFDump revealed that the variable name still exists, but displays an empty value.  The HTTP response "Set-cookie" header attempts to delete the cookie, but the CF-created cookie isn't deleted, and I'm not sure why.

Going forward, if we use these new CHIPS "partitioned" cookies with ColdFusion, I think we'll set/modify/delete the values within the browser using JavaScript and only read the cookies using ColdFusion.  (Since these cookies don't use "httpOnly", they don't need to be issued by the web application server.)