0 Replies Latest reply on May 17, 2013 10:40 AM by TParker

    BUG: ColdFusion does not handle conflicting cookies correctly

    TParker

      (I have reported this as a bug - I'm posting it here to hopefully save people from having to go through the same process)

       

      If I've got a CF instance on test1.k9.edu, and my cookie jar has CFID/CFToken cookies for both 'test1.k9.edu' and '.k9.edu', CF behaves badly in two ways:

       

      1) A CFDump of COOKIE shows two entries for each of the CFID and CFToken cookies

      2) the values are identical, and match the first one set - NOT the most specific - 'test1.k9.edu' should always take precedence, but the CF behavior is that it only takes precedence if the browser got it before the '.k9.edu' value (browser in this case is FireFox 20.0.1)

       

      The net result is... that if I browse to foo.k9.edu and it sets CFID/CFToken cookies at the domain level... and then go to 'test1.k9.edu' which does not set domain cookies... I will not be able to maintain a session (assuming that 'test1' has the latest security fixes) at test1.k9.edu until I scrub my cookies - each request will take the '.k9.edu' values, reject them because they didn't originate locally... and issue new cookies (which will be ignored by the next request... and so on)

       

      This problem is not limited to CFID/CFToken cookies, although this is where the problem is most urgent, as it could be exploited to create a domain-wide denial of service (by effectively blocking session use for all CF instances in the domain)

       

      The test case is very simple  (change the domain in this example as appropriate for your installation)

       

      [for this example, all requests go to test1.k9.edu - adjust to match your domain]

       

      first request - run this:

      <cfcookie name="test1a" value="domain(domain cookie sent first first)" domain=".k9.edu">

      <cfcookie name="test1b" value="no-domain(non-domain cookie sent first)">

       

       

      second request - run this:

      <cfcookie name="test1a" value="no-domain(domain cookie sent first first)">

      <cfcookie name="test1b" value="domain(non-domain cookie sent first)" domain=".k9.edu">

       

      third request - run this:

      <cfdump var=#cookie#>

       

      ===============

      My tests were all done with FireFox 20.0.1 with ColdFusion 10 (stand-alone), updater 10 applied.  My web server is Apache 2.2.  The same problem is seen with CF9.0.2.

       

      The same tests run with Railo 3.3.4 (Tomcat 7) produced correct results (value seen in CFDump results is reliably from the most-specific cookie)