8 Replies Latest reply on Apr 11, 2014 6:29 AM by RobEastland

    Session domain cookies interfering with subdomain cookies

    RobEastland

      We are upgrading to IIS7/CF10 from IIS6/CF7. We run several subdomains and CFID/CFTOKEN cookies issued by the domain are taking precedence over the subdomain cookies we're issuing. The result is that users are getting a new session on every request. I can clear the domain cookies and everything works fine. Ironically, the main domain is no longer using CFID/CFTOKEN and have switched to using JSESSIONID. That's great because we would no longer have a conflict with them, but the users can't seem to clear their domain cookies because of security settings on their internal network workstations.

       

      Is there some way to force CF to request only the subdomain cookies and ignore the domain cookies, or is this an IIS7 issue?

        • 1. Re: Session domain cookies interfering with subdomain cookies
          eyemkent

          I am running into the same issue. Any chance you found a solution?

          • 2. Re: Session domain cookies interfering with subdomain cookies
            ursarob

            Sorry, I haven't found any way to fix the issue. Another tech wrote a vbscript that the users can run to clear their cookies (clearHistory.vbs):

             

            dim result,answer

            Set WshShell = WScript.CreateObject("WSCript.shell")

            Set objExplorer = CreateObject("InternetExplorer.Application")

             

            answer = MsgBox("Selecting YES to delete your cookies or NO to cancel.",vbYesNo,"Delete Cookies")

            If answer = vbYes Then

                result = WshShell.run ("C:\Windows\System32\rundll32.exe InetCpl.cpl,ClearMyTracksByProcess 255",1,TRUE)

                WScript.echo "Your history has been deleted"

            End If

             

            I tried writing code that would expire/delete the domain cookies, but the browser is just ignoring me so I don't know what else I can do.

            • 3. Re: Session domain cookies interfering with subdomain cookies
              eyemkent Level 1

              Thanks a lot for the reply.

               

              You are setting the specific domain in the cfcookie attribute, right?

              • 4. Re: Session domain cookies interfering with subdomain cookies
                ursarob Level 1

                No, the CFID/CFTOKEN subdomain cookies get issued to the user for each application without having to specify the domain. These are my settings in each application.cfc:

                this.name = "MYAPP";

                this.applicationTimeout = createTimeSpan(0,0,15,0);

                this.clientmanagement= "yes";

                this.loginstorage = "session" ;

                this.sessionmanagement = "yes";

                this.sessiontimeout = createTimeSpan(0,0,15,0);

                this.setClientCookies = "yes";

                this.setDomainCookies = "no";

                this.scriptProtect = "all";

                this.sessioncookie.timeout = "-1";

                • 5. Re: Session domain cookies interfering with subdomain cookies
                  eyemkent Level 1

                  Of course. Sorry, I was mixing up issues.

                  • 6. Re: Session domain cookies interfering with subdomain cookies
                    Adobe Forums User Level 1

                    Wondering if the original poster ever discovered a fix for this. I think I'm facing the same issue.

                    • 7. Re: Session domain cookies interfering with subdomain cookies
                      vishu#13 Level 3

                      Asume that there is a login page then you can place the code mentioned below in that page.

                       

                      <!--- .mydomain.com cookie is interfering with the subdomain.mydomain.com cookie. So let's clear the mydomain cookie before attempting to login --->

                       

                       

                      <cfif session.userID IS 0> <!--- if not logged in yet --->

                          

                          <cfif isDefined("Cookie")>

                          <cfset idCount = tokenCount = 0>

                         

                          <cfloop collection="#cookie#" item="v">

                          <cfif v IS "CFID">

                          <cfset idCount += 1>

                          <cfelseif v IS "CFTOKEN">

                          <cfset tokenCount += 1>

                          </cfif>

                          </cfloop>

                          <cfif idCount NEQ tokenCount OR idCount GT 1>

                          <cfloop collection="#cookie#" item="v">

                          <cfset structDelete(cookie,v)>

                          </cfloop>

                          <cfif isDefined("session.cfid")>

                          <cfcookie name="cfid" value="#session.cfid#" domain=".mydomain.com" expires="now">

                          <cfcookie name="cfid" value="#session.cfid#">

                          </cfif>

                          <cfif isDefined("session.cftoken")>

                          <cfcookie name="cftoken" value="#session.cftoken#" domain=".mydomain.com" expires="now">

                          <cfcookie name="cftoken" value="#session.cftoken#">

                          </cfif>

                          <cfelse>

                          <cfif isDefined("cookie.cfid") AND isDefined("session.cfid") AND cookie.cfid IS NOT session.cfid>

                          <cfcookie name="cfid" value="#session.cfid#" domain=".mydomain.com" expires="now">

                          <cfcookie name="cfid" value="#session.cfid#">

                          </cfif>

                          <cfif isDefined("cookie.cftoken") AND isDefined("session.cftoken") AND cookie.cftoken IS NOT session.cftoken>

                          <cfcookie name="cftoken" value="#session.cftoken#" domain=".mydomain.com" expires="now">

                          <cfcookie name="cftoken" value="#session.cftoken#">

                          </cfif>

                          </cfif>

                          </cfif>

                          </cfif>

                      • 8. Re: Session domain cookies interfering with subdomain cookies
                        RobEastland Level 1

                        No, I never found an answer to my problem. The organization is so large we've never figured out who is issuing the domain cookies from their site. The only solution was to ask users who were having issues with it to clear their cookies. Of course group policy was set not to delete domain cookies, so we have to have them run this vbscript:

                         

                        dim result,answer

                        Set WshShell = WScript.CreateObject("WSCript.shell")

                        Set objExplorer = CreateObject("InternetExplorer.Application")

                         

                        answer = MsgBox("Selecting YES to delete your cookies or NO to cancel.",vbYesNo,"Delete Cookies")

                        If answer = vbYes Then

                            result = WshShell.run ("C:\Windows\System32\rundll32.exe InetCpl.cpl,ClearMyTracksByProcess 255",1,TRUE)

                            WScript.echo "Your history has been deleted"

                        End If

                         

                        We just link it in a zip file on the login page. Some users don't have permission to run it so they have to contact support to have someone run it for them. It's been a huge pain, but I haven't figured out how else to deal with the issue.

                         

                        I will test your suggestion. I'm 99% sure I tried something like this to get rid of any domain cookies, but nothing I did on my end would get rid of them. It's been a while so I'll try it again.