CFCookie Issue with CF 10 Patch

Report · May 14, 2018

Hello all,

I'll admit we're pretty far behind with our CF server version and patching. But we're trying to catch up.

We just recently patched one of our two production servers and noticed an issue with our cookies. Previous to the patch, CF would give a cookie that expires in 2048. After the patch, it gave a cookie that expires at the end of the session.

But when we went live with that server after the patch, anyone who had one of the 2048 cookies had to kill their cookies and get the new cookies. If it were up to me, I would've just patched the second server and had them all update their cookies (a few days of pain, but over and done with). But the corner-office folks decided to pull the patched server out of the cluster and try to figure something else out regarding the cookies. So, now all the users have gotten 2048 cookies again.

So, now I'm trying to figure out how to dynamically delete the 2048 cookies when they hit the site, and give them the new "at the end of the session" cookies. But I'm having issues getting rid of the 2048 cookies.

I've tried several things, and none of them seem to be working. The latest thing I've tried is setting this.setClientCookies = false; in the application start up, and then on the session start in application.cfc trying to delete and reset the cookies. I've also tried doing this directly on the login.cfm page we have for the site.

The only way I'm seeing to delete a cookie is to set it to expire now. But that doesn't actually seem to delete the cookie. It might set the value to blank (""), but the cookie seems to remain.

Is there a technique I'm missing that can easily delete the 2048 client-side cookie, and allow me to have the patched CF server give the "at session end" cookie?

Thanks!!!

Kevin

Report · May 20, 2018

NonprofitCoder wrote:

The latest thing I've tried is setting this.setClientCookies = false; in the application start up, and then on the session start in application.cfc trying to delete and reset the cookies.

You're on the right track. Use the usual application settings for session management in Application.cfc. Then delete the (named) cookie in onSessionStart. For example,

this.name = "myApplicationName";

this.applicationTimeout = "#createTimespan(1,0,0,0)#";

this.sessionManagement = "true";

this.sessionTimeout = "#createTimeSpan(0,0,20,0)#";

this.setClientCookies = "true";

</cfscript>

</cffunction>

</cffunction>

</cfcomponent>

Report · May 21, 2018

Thanks so much for the response ACP! Since my post, I've been tinkering, and any cookie that I create manually and try to manipulate/delete works as expected. I can create and delete the cookies, and the browser appears to show cookies being created and deleted.

But it seems like CFID and CFTOKEN are special cookies that are managed by the CF Server (and these are the cookies that are causing the login issues for my users). Any time I try to manipulate the CFID/CFTOKEN cookies, the "normal" expected actions don't happen.

The other wrinkle is that this site uses Client variables because it's on a cluster, and we needed centralized client variables in case they're shifted to another server in the cluster during their session. So, this makes the session stuff a bit more complicated.

I'll try what you suggested above and let you know what happens...But if anyone knows if there are special techniques for dealing with CFID/CFTOKEN, please let me know.

Thanks again!

Report · May 21, 2018

You could proceed in a similar vein in onSessionStart:

</cfif>

Adobe Community

CFCookie Issue with CF 10 Patch