4 Replies Latest reply on Mar 4, 2015 2:25 AM by silmaril

    THIS.setDomainCookies bug in CF11?




      It appears as though THIS.setDomainCookies functionality has been reversed from CF10 to CF11...


      I migrated recently from CF10 -> CF11. I have an app that runs at xyz.thisdomain.com


      My app has the following settings for THIS in Application.cfc:

      <cfset THIS.name = "xyzapp">

      <cfset THIS.applicationtimeout = createtimespan(1,0,0,0)>

      <cfset THIS.sessionManagement = true>

      <cfset THIS.Sessiontimeout = createtimespan(0,1,0,0)>

      <cfset THIS.setDomainCookies = true>


      When a user logs out (manually), the system performs the following to clear the previous session and create a new session:

      <cfset StructClear(Session)>

      <cfset THIS.sessionManagement = true>

      <cfset THIS.Sessiontimeout = createtimespan(0,0,0,0)>


      <cfloop collection="#COOKIE#" item="name">

           <cfcookie name="#name#" value="" expires="now"/>



      <cflocation addtoken="no" url="http://xyz.thisdomain.com">


      In CF11, once the manual log out happens, the user's cookies persist still, and are for ".thisdomain.com". CF doesn't expire the cookies and create new ones, but has cleared the SESSION struct as instructed. This causes huge bugs in my system.


      However, if I set THIS.setDomainCookies = false, then the cookies are correctly for "xyz.thisdomain.com", and are properly removed from the browser when the logout action happens. Everything works as expected.


      This seems to be reverse setDomainCookies behaviour when comparing CF10 and CF11... Bug? OR am I missing something here... Worth mentioning that I installed CF11 as "Production + Secure Profile".