In our application, we use J2EE session variables for session management. We recently migrated from ColdFusion 9 to ColdFusion 2018. After migration, the logout functionality is not working. What we found is that, in ColdFusion 2018, the cookie JSESSIONID is not getting cleared from the browser because the HttpOnly flag has been set to true in the browser.
We tried to disable this HttpOnly flag in the browser in following ways,
But this way the HttpOnly flag is still showing as enabled in the browser. Because of this, the client-side script is not able to clear the cookie JSESSIONID and hence logout functionality is not working.
Is there any way, in CF2018, to disable the HttpOnly flag in the browser for the cookie JSESSIONID?.
Abdul, can you clarify if you are testing things from a browser that has none of the cookies (where all those for your site have been deleted/don't exist), as a starting point? What happens when you do?
That said, since you are talking about the cf jsessionid cookies, those by default have no expiration set and should be cleared by simply closing the browser (and ensuring all instances of it are closed).
Finally, this challenge of yours is a situation where using your browser's Dev tools would be valuable, to see (and optionally delete) the cookies existing on the browser, as well as to see those being set by cf (being sent down from cf as response headers).
This would also show things like the httponly and other attributes of the cookies sent down or existing on the browser. If you may not be familiar with such tools, Google should help you find how to use them in your browser, as all support them.
I'm pretty sure you can't control the behavior of the JSESSIONID cookie in CF. That's issued by Tomcat really, not by CF, and has a bunch of security rules attached to it. You might be able to modify that behavior in Tomcat's configuration, but it wouldn't be recommended for security reasons. I don't see why you'd want to disable HttpOnly anyway.
Dave Watts, Eidolon LLC
I strongly agree with Dave here. The JSESSIONID cookie is intended for CF to manage sessions. You should not be messing with it.
The mechanism you use to determine whether or not a user is logged into your application should be completely independent of the JSESSIONID cookie.