IE Dropping Cookies

Engaged ,
Apr 08, 2015 Apr 08, 2015

Copy link to clipboard

Copied

So, we've just moved CF11 to our production servers.  Among the many weird issues we've encountered is IE refusing to keep cookies set using CFCOOKIE.

Keep in mind this is only a problem in IE.  Seems to be all versions: 6-11.

For instance, a user loads Page A where this code resides:

<cfcookie name="myCookie"  value="#myVar#" expires="NEVER">

At the end of the page I dump out:

<cfdump var="#isDefined(cookie.myCookie)#">

Result: YES

I then click a link and load a Page B (same domain) and dump out:

<cfdump var="#isDefined(cookie.myCookie)#">

Result: NO

Why is IE dropping this cookie?  All other browsers keep it.

Exception: if I add my site to IE's Trusted Site list then it will keep the cookie.  WTF?

Also, the particular CFCookie code we're using has been in place and working for YEARS.  Since CF7 at least. 

It has also been working on our testing server running CF11 for months.  It only stopped working when moved to our production servers.

The testing server and production servers are nearly identical: Win2008, IIS7, CF11.  The ONE glaring difference is the testing server was installed with an early version of CF11 and is still running Java7.  The production CF11 installed with Java 8.  We have several issues on the production machine we suspect to be a result of using Java 8 as we've never seen them on the Java 7 test server.

Anyone have any idea if the new version of Java would change how CFCookie operates?  Other ideas?

Views

882

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Apr 12, 2018 Apr 12, 2018

Copy link to clipboard

Copied

I'm getting this same error myself in IE11. Same scenario with a CFOOKIE that writes successfully. Do a CFDUMP at the bottom of the same page, I see the cookie.

Then, on the same domain, on a different cfm page do a CFUMP of all cookies and my cookie isn't present.

I'm really frustrated with this. Tried a server-side work-around with CFCOOKIE since IE11 isn't writing .js cookies. And now I can't even read a cookie with IE,

Help anyone?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Apr 12, 2018 Apr 12, 2018

Copy link to clipboard

Copied

I would strongly recommend using the dev tools available in IE or Chrome to see exactly what response headers are being written, including that of the cookie. Nothing in CFCOOKIE has changed, but how browsers handle cookies has changed quite a bit.

Dave Watts, Fig Leaf Software

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Apr 12, 2018 Apr 12, 2018

Copy link to clipboard

Copied

I pasted this from the Dev tools response header and pasted the CFTOKEN above my cookie. The only noticeable difference is that mine is not HTTP only. Other than that, nothing looks out of the ordinary, but let me know if I should look at something else...

Key Value:

Set-Cookie CFTOKEN=d4061cb9ac8bb409-543EA86E-DEF6-F1D1-1648F6EAC3D6E33D; Expires=Sat, 04-Apr-2048 20:51:03 GMT; Path=/; HttpOnly

Key Value:

Set-Cookie ZAXTERMS=yes; Expires=Sat, 04-Apr-2048 20:51:03 GMT; Path=/

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Apr 12, 2018 Apr 12, 2018

Copy link to clipboard

Copied

If you're having a problem getting IE to accept ZAXTERMS when it is successfully accepting CFTOKEN, maybe IE is only accepting HttpOnly cookies from untrusted sites?

Dave Watts, Fig Leaf Software

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Apr 12, 2018 Apr 12, 2018

Copy link to clipboard

Copied

Hmmm, so does this mean I can't set my own cookies with IE? I'm not an IE person, so are the users going to have to set up my site as a Trusted site in order to process the site's cookie? I do have a javascript process to read the cookie for existence. I'm not sure what to do here. Any help appreciated!

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Apr 12, 2018 Apr 12, 2018

Copy link to clipboard

Copied

It means you'll have to use the http attribute with CFCOOKIE, like this:

<cfcookie name="zaxterms" value="yes" httponly="true">

ColdFusion Help | cfcookie

Dave Watts, Fig Leaf Software

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Apr 12, 2018 Apr 12, 2018

Copy link to clipboard

Copied

Oh, and you'll probably have to get rid of the JS that reads the cookie, probably.

Dave Watts, Fig Leaf Software

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Apr 13, 2018 Apr 13, 2018

Copy link to clipboard

Copied

Thank you, Dave. It looks like I'm going to abandon a Terms of Use popup check that uses javascript and the cookie to determine access to certain pages. Will have to do it server-side. All because of IE. Ugh.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Apr 13, 2018 Apr 13, 2018

Copy link to clipboard

Copied

And... the httponly cookie isn't being recognized either in IE. It's being written as httponly:

Key Value

Set-Cookie ZAXTERMS=yes; Expires=Sun, 05-Apr-2048 15:05:43 GMT; Path=/; HttpOnly

Then I load the 2nd page that dumps the cookie. Only CFID and CFTOKEN are set.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Apr 13, 2018 Apr 13, 2018

Copy link to clipboard

Copied

Do you have a sample URL available to the public?

Dave Watts, Fig Leaf Software

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Apr 13, 2018 Apr 13, 2018

Copy link to clipboard

Copied

Unfortunately I only have a locked-down staging site. Is there something else I can check and post here?

EDIT: I'm also finding out that IE is not saving SESSION variables which affect saving a user's login session id. So if someone logs in with IE it bounces them back to login because of an unrecognized session variable.

I'm also trying this on two different machines. A Windows laptop and a VM with IE on a Mac and both are giving me the same issue. I set the IE security settings as low as I can get them.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Apr 14, 2018 Apr 14, 2018

Copy link to clipboard

Copied

LATEST

The issue was that Microsoft does not allow cookies to be written when the URL has an underscore in it. Yep.

I confirmed this by changing our staging URL to use a '-' instead of '_' and cookies are now be written and read successfully in IE.

An article about this issue: https://ma.ttias.be/internet-explorer-wont-allow-cookies-subdomains-underscores/

Thanks for your help on this, Dave Watts​!

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Apr 12, 2018 Apr 12, 2018

Copy link to clipboard

Copied

We simply stopped supporting IE.  Right or wrong, it's what we did.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines