Copy link to clipboard
Copied
So, we've just moved CF11 to our production servers. Among the many weird issues we've encountered is IE refusing to keep cookies set using CFCOOKIE.
Keep in mind this is only a problem in IE. Seems to be all versions: 6-11.
For instance, a user loads Page A where this code resides:
<cfcookie name="myCookie" value="#myVar#" expires="NEVER">
At the end of the page I dump out:
<cfdump var="#isDefined(cookie.myCookie)#">
Result: YES
I then click a link and load a Page B (same domain) and dump out:
<cfdump var="#isDefined(cookie.myCookie)#">
Result: NO
Why is IE dropping this cookie? All other browsers keep it.
Exception: if I add my site to IE's Trusted Site list then it will keep the cookie. WTF?
Also, the particular CFCookie code we're using has been in place and working for YEARS. Since CF7 at least.
It has also been working on our testing server running CF11 for months. It only stopped working when moved to our production servers.
The testing server and production servers are nearly identical: Win2008, IIS7, CF11. The ONE glaring difference is the testing server was installed with an early version of CF11 and is still running Java7. The production CF11 installed with Java 8. We have several issues on the production machine we suspect to be a result of using Java 8 as we've never seen them on the Java 7 test server.
Anyone have any idea if the new version of Java would change how CFCookie operates? Other ideas?
Copy link to clipboard
Copied
I'm getting this same error myself in IE11. Same scenario with a CFOOKIE that writes successfully. Do a CFDUMP at the bottom of the same page, I see the cookie.
Then, on the same domain, on a different cfm page do a CFUMP of all cookies and my cookie isn't present.
I'm really frustrated with this. Tried a server-side work-around with CFCOOKIE since IE11 isn't writing .js cookies. And now I can't even read a cookie with IE,
Help anyone?
Copy link to clipboard
Copied
I would strongly recommend using the dev tools available in IE or Chrome to see exactly what response headers are being written, including that of the cookie. Nothing in CFCOOKIE has changed, but how browsers handle cookies has changed quite a bit.
Dave Watts, Fig Leaf Software
Copy link to clipboard
Copied
I pasted this from the Dev tools response header and pasted the CFTOKEN above my cookie. The only noticeable difference is that mine is not HTTP only. Other than that, nothing looks out of the ordinary, but let me know if I should look at something else...
Key Value:
Set-Cookie CFTOKEN=d4061cb9ac8bb409-543EA86E-DEF6-F1D1-1648F6EAC3D6E33D; Expires=Sat, 04-Apr-2048 20:51:03 GMT; Path=/; HttpOnly
Key Value:
Set-Cookie ZAXTERMS=yes; Expires=Sat, 04-Apr-2048 20:51:03 GMT; Path=/
Copy link to clipboard
Copied
If you're having a problem getting IE to accept ZAXTERMS when it is successfully accepting CFTOKEN, maybe IE is only accepting HttpOnly cookies from untrusted sites?
Dave Watts, Fig Leaf Software
Copy link to clipboard
Copied
Hmmm, so does this mean I can't set my own cookies with IE? I'm not an IE person, so are the users going to have to set up my site as a Trusted site in order to process the site's cookie? I do have a javascript process to read the cookie for existence. I'm not sure what to do here. Any help appreciated!
Copy link to clipboard
Copied
It means you'll have to use the http attribute with CFCOOKIE, like this:
<cfcookie name="zaxterms" value="yes" httponly="true">
Dave Watts, Fig Leaf Software
Copy link to clipboard
Copied
Oh, and you'll probably have to get rid of the JS that reads the cookie, probably.
Dave Watts, Fig Leaf Software
Copy link to clipboard
Copied
Thank you, Dave. It looks like I'm going to abandon a Terms of Use popup check that uses javascript and the cookie to determine access to certain pages. Will have to do it server-side. All because of IE. Ugh.
Copy link to clipboard
Copied
And... the httponly cookie isn't being recognized either in IE. It's being written as httponly:
Key Value
Set-Cookie ZAXTERMS=yes; Expires=Sun, 05-Apr-2048 15:05:43 GMT; Path=/; HttpOnly
Then I load the 2nd page that dumps the cookie. Only CFID and CFTOKEN are set.
Copy link to clipboard
Copied
Do you have a sample URL available to the public?
Dave Watts, Fig Leaf Software
Copy link to clipboard
Copied
Unfortunately I only have a locked-down staging site. Is there something else I can check and post here?
EDIT: I'm also finding out that IE is not saving SESSION variables which affect saving a user's login session id. So if someone logs in with IE it bounces them back to login because of an unrecognized session variable.
I'm also trying this on two different machines. A Windows laptop and a VM with IE on a Mac and both are giving me the same issue. I set the IE security settings as low as I can get them.
Copy link to clipboard
Copied
The issue was that Microsoft does not allow cookies to be written when the URL has an underscore in it. Yep.
I confirmed this by changing our staging URL to use a '-' instead of '_' and cookies are now be written and read successfully in IE.
An article about this issue: https://ma.ttias.be/internet-explorer-wont-allow-cookies-subdomains-underscores/
Thanks for your help on this, Dave Watts!
Copy link to clipboard
Copied
We simply stopped supporting IE. Right or wrong, it's what we did.