Highlighted

THIS.setDomainCookies bug in CF11?

New Here ,
Aug 08, 2014

Copy link to clipboard

Copied

Hello,

It appears as though THIS.setDomainCookies functionality has been reversed from CF10 to CF11...

I migrated recently from CF10 -> CF11. I have an app that runs at xyz.thisdomain.com

My app has the following settings for THIS in Application.cfc:

<cfset THIS.name = "xyzapp">

<cfset THIS.applicationtimeout = createtimespan(1,0,0,0)>

<cfset THIS.sessionManagement = true>

<cfset THIS.Sessiontimeout = createtimespan(0,1,0,0)>

<cfset THIS.setDomainCookies = true>

When a user logs out (manually), the system performs the following to clear the previous session and create a new session:

<cfset StructClear(Session)>

<cfset THIS.sessionManagement = true>

<cfset THIS.Sessiontimeout = createtimespan(0,0,0,0)>

               

<cfloop collection="#COOKIE#" item="name">

     <cfcookie name="#name#" value="" expires="now"/>

</cfloop>           

<cflocation addtoken="no" url="http://xyz.thisdomain.com">

In CF11, once the manual log out happens, the user's cookies persist still, and are for ".thisdomain.com". CF doesn't expire the cookies and create new ones, but has cleared the SESSION struct as instructed. This causes huge bugs in my system.

However, if I set THIS.setDomainCookies = false, then the cookies are correctly for "xyz.thisdomain.com", and are properly removed from the browser when the logout action happens. Everything works as expected.

This seems to be reverse setDomainCookies behaviour when comparing CF10 and CF11... Bug? OR am I missing something here... Worth mentioning that I installed CF11 as "Production + Secure Profile".

Thanks,

Dan

Views

923

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

THIS.setDomainCookies bug in CF11?

New Here ,
Aug 08, 2014

Copy link to clipboard

Copied

Hello,

It appears as though THIS.setDomainCookies functionality has been reversed from CF10 to CF11...

I migrated recently from CF10 -> CF11. I have an app that runs at xyz.thisdomain.com

My app has the following settings for THIS in Application.cfc:

<cfset THIS.name = "xyzapp">

<cfset THIS.applicationtimeout = createtimespan(1,0,0,0)>

<cfset THIS.sessionManagement = true>

<cfset THIS.Sessiontimeout = createtimespan(0,1,0,0)>

<cfset THIS.setDomainCookies = true>

When a user logs out (manually), the system performs the following to clear the previous session and create a new session:

<cfset StructClear(Session)>

<cfset THIS.sessionManagement = true>

<cfset THIS.Sessiontimeout = createtimespan(0,0,0,0)>

               

<cfloop collection="#COOKIE#" item="name">

     <cfcookie name="#name#" value="" expires="now"/>

</cfloop>           

<cflocation addtoken="no" url="http://xyz.thisdomain.com">

In CF11, once the manual log out happens, the user's cookies persist still, and are for ".thisdomain.com". CF doesn't expire the cookies and create new ones, but has cleared the SESSION struct as instructed. This causes huge bugs in my system.

However, if I set THIS.setDomainCookies = false, then the cookies are correctly for "xyz.thisdomain.com", and are properly removed from the browser when the logout action happens. Everything works as expected.

This seems to be reverse setDomainCookies behaviour when comparing CF10 and CF11... Bug? OR am I missing something here... Worth mentioning that I installed CF11 as "Production + Secure Profile".

Thanks,

Dan

Views

924

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Aug 08, 2014 0
New Here ,
Aug 08, 2014

Copy link to clipboard

Copied

I also just noticed that in CF11 when setDomainCookies = true (as described above), the CFID value is a really long string like this: Z878pt2v0jgtx8yvvdf8rr3ifl19dswl61juevwo42y6ibcn65-1168 instead of the normal short, numeric value. Also, this CFID closely matches the value for the CFTOKEN cookie: Z878pt2v0jgtx8yvvdf8rr3ifl19dswl61juevwo42y6ibcn65-59bcdaab076aa06-2997ED3A-C291-54C7-53D0BF27179FEDC9. Looks like there's just a long (and same) prefix in both cookies... never seen this before.

When I set setDomainCookies = false, the CFID cookie goes back to the normal short numeric value (no prefix).

Thought it might be worth menitoning...

Dan

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 08, 2014 0
New Here ,
Aug 11, 2014

Copy link to clipboard

Copied

Hi,

Not sure if it's related but i'm experiencing some weirdness with cflogin and loginStorage="session" also.

In some case i need to log-in twice for the login to "stick" (on the first login i only get to see one page, all following request get me back to the login form).

It seem to be linked to login/session timeouts but i can't figure out why...

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 11, 2014 0
Community Beginner ,
Feb 09, 2015

Copy link to clipboard

Copied

Hi Silmaril

I am experiencing exactly the same problem, but extremely intermittently.

Have you been able to resolve this "Double Login" problem? Or perhaps a workaround?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Feb 09, 2015 0
silmaril LATEST
New Here ,
Mar 04, 2015

Copy link to clipboard

Copied

Hi,

Well no, all i was able to do is switch to loginStorage="Cookie", and use large session timeout to workaround the pain...

Here is the related thread

CF11 : cflogin doesn't "stuck" after session/login timeout

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Mar 04, 2015 0