Copy link to clipboard
Copied
We are upgrading to IIS7/CF10 from IIS6/CF7. We run several subdomains and CFID/CFTOKEN cookies issued by the domain are taking precedence over the subdomain cookies we're issuing. The result is that users are getting a new session on every request. I can clear the domain cookies and everything works fine. Ironically, the main domain is no longer using CFID/CFTOKEN and have switched to using JSESSIONID. That's great because we would no longer have a conflict with them, but the users can't seem to clear their domain cookies because of security settings on their internal network workstations.
Is there some way to force CF to request only the subdomain cookies and ignore the domain cookies, or is this an IIS7 issue?
Copy link to clipboard
Copied
I am running into the same issue. Any chance you found a solution?
Copy link to clipboard
Copied
Sorry, I haven't found any way to fix the issue. Another tech wrote a vbscript that the users can run to clear their cookies (clearHistory.vbs):
dim result,answer
Set WshShell = WScript.CreateObject("WSCript.shell")
Set objExplorer = CreateObject("InternetExplorer.Application")
answer = MsgBox("Selecting YES to delete your cookies or NO to cancel.",vbYesNo,"Delete Cookies")
If answer = vbYes Then
result = WshShell.run ("C:\Windows\System32\rundll32.exe InetCpl.cpl,ClearMyTracksByProcess 255",1,TRUE)
WScript.echo "Your history has been deleted"
End If
I tried writing code that would expire/delete the domain cookies, but the browser is just ignoring me so I don't know what else I can do.
Copy link to clipboard
Copied
Thanks a lot for the reply.
You are setting the specific domain in the cfcookie attribute, right?
Copy link to clipboard
Copied
No, the CFID/CFTOKEN subdomain cookies get issued to the user for each application without having to specify the domain. These are my settings in each application.cfc:
this.name = "MYAPP";
this.applicationTimeout = createTimeSpan(0,0,15,0);
this.clientmanagement= "yes";
this.loginstorage = "session" ;
this.sessionmanagement = "yes";
this.sessiontimeout = createTimeSpan(0,0,15,0);
this.setClientCookies = "yes";
this.setDomainCookies = "no";
this.scriptProtect = "all";
this.sessioncookie.timeout = "-1";
Copy link to clipboard
Copied
Of course. Sorry, I was mixing up issues.
Copy link to clipboard
Copied
Wondering if the original poster ever discovered a fix for this. I think I'm facing the same issue.
Copy link to clipboard
Copied
Asume that there is a login page then you can place the code mentioned below in that page.
<!--- .mydomain.com cookie is interfering with the subdomain.mydomain.com cookie. So let's clear the mydomain cookie before attempting to login --->
<cfif session.userID IS 0> <!--- if not logged in yet --->
<cfif isDefined("Cookie")>
<cfset idCount = tokenCount = 0>
<cfloop collection="#cookie#" item="v">
<cfif v IS "CFID">
<cfset idCount += 1>
<cfelseif v IS "CFTOKEN">
<cfset tokenCount += 1>
</cfif>
</cfloop>
<cfif idCount NEQ tokenCount OR idCount GT 1>
<cfloop collection="#cookie#" item="v">
<cfset structDelete(cookie,v)>
</cfloop>
<cfif isDefined("session.cfid")>
<cfcookie name="cfid" value="#session.cfid#" domain=".mydomain.com" expires="now">
<cfcookie name="cfid" value="#session.cfid#">
</cfif>
<cfif isDefined("session.cftoken")>
<cfcookie name="cftoken" value="#session.cftoken#" domain=".mydomain.com" expires="now">
<cfcookie name="cftoken" value="#session.cftoken#">
</cfif>
<cfelse>
<cfif isDefined("cookie.cfid") AND isDefined("session.cfid") AND cookie.cfid IS NOT session.cfid>
<cfcookie name="cfid" value="#session.cfid#" domain=".mydomain.com" expires="now">
<cfcookie name="cfid" value="#session.cfid#">
</cfif>
<cfif isDefined("cookie.cftoken") AND isDefined("session.cftoken") AND cookie.cftoken IS NOT session.cftoken>
<cfcookie name="cftoken" value="#session.cftoken#" domain=".mydomain.com" expires="now">
<cfcookie name="cftoken" value="#session.cftoken#">
</cfif>
</cfif>
</cfif>
</cfif>
Copy link to clipboard
Copied
No, I never found an answer to my problem. The organization is so large we've never figured out who is issuing the domain cookies from their site. The only solution was to ask users who were having issues with it to clear their cookies. Of course group policy was set not to delete domain cookies, so we have to have them run this vbscript:
dim result,answer
Set WshShell = WScript.CreateObject("WSCript.shell")
Set objExplorer = CreateObject("InternetExplorer.Application")
answer = MsgBox("Selecting YES to delete your cookies or NO to cancel.",vbYesNo,"Delete Cookies")
If answer = vbYes Then
result = WshShell.run ("C:\Windows\System32\rundll32.exe InetCpl.cpl,ClearMyTracksByProcess 255",1,TRUE)
WScript.echo "Your history has been deleted"
End If
We just link it in a zip file on the login page. Some users don't have permission to run it so they have to contact support to have someone run it for them. It's been a huge pain, but I haven't figured out how else to deal with the issue.
I will test your suggestion. I'm 99% sure I tried something like this to get rid of any domain cookies, but nothing I did on my end would get rid of them. It's been a while so I'll try it again.