5 Replies Latest reply on Apr 16, 2014 8:53 AM by Adobe Forums User

    Domain and subdomain cookie conflicts...

    Adobe Forums User Level 1

      We run a website on a subdomain (mysite.abc.com) while other parties within our company operate various other websites on the main domain and other subdomains (www.abc.com, anothersite.abc.com, etc.). Our site is ColdFusion-based, as are a few of (but not all of) the other abc.com websites.

       

      We started to encounter recently a problem in which our users key their log in information into our log in page and click submit only to have the page refresh. No failed log in attempt, just a page refresh. I have seen the issue primarily in Firefox, but I believe this is just because our users perfer that browser. I am unable to recreate the problem on my end, but then again I rarely use Firefox and don't often visit the abc.com websites outside of our own.

       

      The only fix that seems to work is to clear the browser's cookies entirely, or if the user objects to that, just the cookies for "abc.com". Doing so lets the user log back into our website (again, at mysite.abc.com) fine. I do not have to clear the cookies for mysite.abc.com, so I'm lead to believe this is a result of the main domain's cookies somehow conflicting with our own.

       

      Any thoughts? Has anyone else experienced this?

       

      EDIT: I haven't had a chance to test which of the main site's cookies is causing this, but I'm assuming it's the CFID/CFTOKEN. I'll know more once another user encounters it, assuming I can spend some time on their computer to do testing, and not have to rush-fix the problem so they can continue working.

        • 1. Re: Domain and subdomain cookie conflicts...
          vishu#13 Level 3

          Application.cfc/Application.cfm

           

          <cfapplication name = "Test"

          clientmanagement="No"

          sessionmanagement="Yes"

          sessiontimeout="#CreateTimeSpan(0,0,5,0)#"

          setClientCookies="no"

          setDomainCookies="no"

          applicationtimeout="#CreateTimeSpan(0,2,0,0)#">

           

          ----------------------

          Place this code somewhere in the login page

           

           

          <!--- .mydomain.com cookie is interfering with the subdomain.mydomain.com cookie. So let's clear the mydomain cookie before attempting to login --->

           

           

          <cfif session.userID IS 0> <!--- if not logged in yet --->

              

              <cfif isDefined("Cookie")>

              <cfset idCount = tokenCount = 0>

             

              <cfloop collection="#cookie#" item="v">

              <cfif v IS "CFID">

              <cfset idCount += 1>

              <cfelseif v IS "CFTOKEN">

              <cfset tokenCount += 1>

              </cfif>

              </cfloop>

              <cfif idCount NEQ tokenCount OR idCount GT 1>

              <cfloop collection="#cookie#" item="v">

              <cfset structDelete(cookie,v)>

              </cfloop>

              <cfif isDefined("session.cfid")>

              <cfcookie name="cfid" value="#session.cfid#" domain=".mydomain.com" expires="now">

              <cfcookie name="cfid" value="#session.cfid#">

              </cfif>

              <cfif isDefined("session.cftoken")>

              <cfcookie name="cftoken" value="#session.cftoken#" domain=".mydomain.com" expires="now">

              <cfcookie name="cftoken" value="#session.cftoken#">

              </cfif>

              <cfelse>

              <cfif isDefined("cookie.cfid") AND isDefined("session.cfid") AND cookie.cfid IS NOT session.cfid>

              <cfcookie name="cfid" value="#session.cfid#" domain=".mydomain.com" expires="now">

              <cfcookie name="cfid" value="#session.cfid#">

              </cfif>

              <cfif isDefined("cookie.cftoken") AND isDefined("session.cftoken") AND cookie.cftoken IS NOT session.cftoken>

              <cfcookie name="cftoken" value="#session.cftoken#" domain=".mydomain.com" expires="now">

              <cfcookie name="cftoken" value="#session.cftoken#">

              </cfif>

              </cfif>

              </cfif>

              </cfif>

          1 person found this helpful
          • 2. Re: Domain and subdomain cookie conflicts...
            Adobe Forums User Level 1

            Hi vishu,

             

            Thanks for this code, I'll give it a try. Forgive my (probably really basic) follow-up questions:

             

            1. So, it seems based on your code sample that you can delete cookies at the parent domain level (mysite.com) from a ColdFusion server hosted on the subdomain level (something.mysite.com). Is this correct?

             

            2. If so, it looks like to do so you just specify domain=".mysite.com" in the cfcookie tag. So, on my CF server (hosted at something.mysite.com) I could clear CFID and CFTOKEN cookies at mysite.com by using:

             

            <cfcookie name="cfid" value="" domain=".mysite.com" expires="now">

            <cfcookie name="cftoken" value="" domain=".mysite.com" expires="now">

             

            3. And lastly, I'm trying to figure out where the parent domain's CFID and CFTOKEN values are being created. I don't host those web servers, in fact I'm not even able to find one that runs ColdFusion (though that doesn't mean a CF server at the parent domain doesn't exist somewhere). Is there any way CFID and CFTOKEN values from my site (something.mysite.com) is being set at the parent level (mysite.com)?

             

            Hope these questions make sense.

            • 3. Re: Domain and subdomain cookie conflicts...
              Adobe Forums User Level 1

              Hi vishu,

               

              Disregard - I managed to get it all worked out. I was overthinking it.

               

              Simply clearing the main website's CFID and CFTOKEN cookies first-thing each time my log in page loads resolved the issue.

              • 4. Re: Domain and subdomain cookie conflicts...
                BKBK Adobe Community Professional & MVP

                Good for you! Please kindly mark your answer as 'correct'. Thanks.

                • 5. Re: Domain and subdomain cookie conflicts...
                  Adobe Forums User Level 1

                  The actual fix was simple, just delete the main website's CFID and CFTOKEN cookies first-thing on my log in page, using:

                   

                  <cfcookie name="cfid" value="" domain=".mysite.com" expires="now">

                  <cfcookie name="cftoken" value="" domain=".mysite.com" expires="now">