3 Replies Latest reply: Feb 9, 2015 10:57 PM by fusrec RSS

    THIS.setDomainCookies bug in CF11?




      It appears as though THIS.setDomainCookies functionality has been reversed from CF10 to CF11...


      I migrated recently from CF10 -> CF11. I have an app that runs at xyz.thisdomain.com


      My app has the following settings for THIS in Application.cfc:

      <cfset THIS.name = "xyzapp">

      <cfset THIS.applicationtimeout = createtimespan(1,0,0,0)>

      <cfset THIS.sessionManagement = true>

      <cfset THIS.Sessiontimeout = createtimespan(0,1,0,0)>

      <cfset THIS.setDomainCookies = true>


      When a user logs out (manually), the system performs the following to clear the previous session and create a new session:

      <cfset StructClear(Session)>

      <cfset THIS.sessionManagement = true>

      <cfset THIS.Sessiontimeout = createtimespan(0,0,0,0)>


      <cfloop collection="#COOKIE#" item="name">

           <cfcookie name="#name#" value="" expires="now"/>



      <cflocation addtoken="no" url="http://xyz.thisdomain.com">


      In CF11, once the manual log out happens, the user's cookies persist still, and are for ".thisdomain.com". CF doesn't expire the cookies and create new ones, but has cleared the SESSION struct as instructed. This causes huge bugs in my system.


      However, if I set THIS.setDomainCookies = false, then the cookies are correctly for "xyz.thisdomain.com", and are properly removed from the browser when the logout action happens. Everything works as expected.


      This seems to be reverse setDomainCookies behaviour when comparing CF10 and CF11... Bug? OR am I missing something here... Worth mentioning that I installed CF11 as "Production + Secure Profile".





        • 1. Re: THIS.setDomainCookies bug in CF11?
          rubytuby189 Community Member

          I also just noticed that in CF11 when setDomainCookies = true (as described above), the CFID value is a really long string like this: Z878pt2v0jgtx8yvvdf8rr3ifl19dswl61juevwo42y6ibcn65-1168 instead of the normal short, numeric value. Also, this CFID closely matches the value for the CFTOKEN cookie: Z878pt2v0jgtx8yvvdf8rr3ifl19dswl61juevwo42y6ibcn65-59bcdaab076aa06-2997ED3A-C291-54C7-53D0BF27179FEDC9. Looks like there's just a long (and same) prefix in both cookies... never seen this before.


          When I set setDomainCookies = false, the CFID cookie goes back to the normal short numeric value (no prefix).


          Thought it might be worth menitoning...


          • 2. Re: THIS.setDomainCookies bug in CF11?
            silmaril Community Member



            Not sure if it's related but i'm experiencing some weirdness with cflogin and loginStorage="session" also.


            In some case i need to log-in twice for the login to "stick" (on the first login i only get to see one page, all following request get me back to the login form).


            It seem to be linked to login/session timeouts but i can't figure out why...

            • 3. Re: THIS.setDomainCookies bug in CF11?
              fusrec Community Member

              Hi Silmaril


              I am experiencing exactly the same problem, but extremely intermittently.

              Have you been able to resolve this "Double Login" problem? Or perhaps a workaround?