Skip to main content
N
NeilJeffries
New Participant
September 10, 2011
Question

Unable to recreate JSESSIONID cookie in Internet Explorer

  • September 10, 2011
  • 1 reply
  • 3098 views

Hello All,

(Running  CF Version: 9,0,0,251028,   Windows 2008 Server,  IIS-7)

I am using the code below to expire the JSESSIONID cookie that is generated by CF because CF does not set the "HTTPOnly" and "Secure" cookie attributes by default when the JSESSIONID is initially created .  I am then recreating the JSESSIONID cookie with the required attributes.

This works great for all browsers EXCEPT Internet Explorer!

When the code below runs in Internet Explorer, the JSESSIONID cookie does become expired as it should as seen in the 1st line of the function below.  However, The script after that fails to recreate the JSESSIONID in Internet Explorer.  this is driving me nuts because it works like a charm in ALL other browsers.

I am aware of the solution which involves setting these attributes in an xml configuration file on the CF server.  However that solution is not an option for me.  I am forced to use the method below to setup my secure/httponly JSESSIONID cookie.  Any ideas would be greatly appreciated!!!

<cffunction name="OnSessionStart" output="false" access="public" description="I fix the sessionid">  

         <cfcookie name="JSESSIONID" expires="now"/>              
       <cfscript> 
          var.HTTPOnly = "HTTPOnly";
          var.domain = cgi.server_name;       
          var.path = "/";
          var.secure = "Secure;";                         
          var.response = getPageContext().getResponse();              
          var.header = "JSESSIONID" & "=" & session.sessionid & ";domain=." & var.domain & ";path=" & var.path & ";" & var.secure & var.HTTPOnly;
          var.response.setHeader("SET-COOKIE", var.header);             
        </cfscript>       
        <cfreturn />
  </cffunction>

    This topic has been closed for replies.

    1 reply

    12Robots
    12Robots
    Participating Frequently
    September 10, 2011

    Can you post what the HTTP Response to the browser that does all the cookie changes looks like?

    It will look something like this but will include a lot more including several SET-COOKIE headers

    HTTP/1.0 200 OK
Date: Fri, 31 Dec 1999 23:59:59 GMT
Content-Type: text/html
Content-Length: 1354

    N
    NeilJeffriesAuthor
    New Participant
    September 10, 2011

    Below is the responseHeader dump (from IE9).

    Looks the exact same in FireFox and Chrome.  However,  a cfdump of the cookie scope will reveal (JSESSIONID=), nothing, zip, zilch, nada in IE9. Since the JSESSIONID cookie value is empty or null, a login attempt will result in a flash of the screen and the user is never logged in.

    While a cfdump of Firefox and Chrome happily display a valid JSESSIONID cookie value and allow users to login to my application just fine.

    (Note:  The secure attribute is intentionally turned off due to my non-ssl dev pc.)

    Cache-Controlno-cache, no-store, must-revalidate
    Connectionclose
    Content-Typetext/html; charset=UTF-8
    DateSat, 10 Sep 2011 19:35:08 GMT
    ExplanationOK
    Http_VersionHTTP/1.0
    SET-COOKIE
    struct
    1JSESSIONID=843032102a51ca7bfa0f60831221c8642e45;domain=.localhost;path=/;HTTPOnly
    2JSESSIONID=843032102a51ca7bfa0f60831221c8642e45;path=/
    3JSESSIONID=;expires=Fri, 10-Sep-2010 19:35:08 GMT;path=/
    ServerJRun Web Server
    Status_Code200
    X-Frame-Optionsdeny
    X-XSS-Protection1; mode=block
    expires{ts '2011-09-10 15:35:08'}
    pragmano-cache

    Thanks for the help!

    Neil

    12Robots
    12Robots
    Participating Frequently
    September 11, 2011

    If you look at the order that the SET-COOKIES are being returned in, the expiration SET-COOKIE is coming last. This should not matter if IE were to differentiate between the cookies because they have different domain and path attributes.

    I do recall having problems with localhost as the domain for cookies. I believe that technically (according to RFC) localhost is not a valid domain name and .localhost is not valid for cookeis.  Try using a real domain (set something in your hosts file to point to 127.0.0.1) like www.mydomain.com and then set the cookie using .mydomain.com and see if it behaves any differently.

    Another thing you could try is to do the expiration using the same method as the creation (in toher words, don't use CFCookie) so that they go to the browser in the same order. For some reason JRun puts CFCOOKIE cookies in the header *after* other cookies. You want the expiration to come before. Tomcat does not do this, but you are using JRun.

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices