Strange session cookie behaviour

Tag: session , cookies , coldfusion , coldfusion-10 Author: b332345868 Date: 2014-01-21

I am noticing strange behaviour with my ColdFusion session cookies whereby the domain, path and httponly attributes are not retained.

In my application.cfc file I have this.setclientcookies set to false.

In my onSessionStart event I then have the following code:

<cfset sessionRotate()>
<cfcookie name="CFID" value="#session.cfid#" path="#application.sessioncookiespath#" domain="#application.sessioncookiesdomain#" httponly="yes">
<cfcookie name="CFTOKEN" value="#session.cftoken#" path="#application.sessioncookiespath#" domain="#application.sessioncookiesdomain#" httponly="yes">

The first time I visit a page the CFID and CFTOKEN cookies get sent to the browser with the correct values, domains, paths expiry dates etc.

But when viewing the request cookies for subsequent requests everything but the value of the cookie has been lost.

If I then close the browser, reopen it and go to a page the same cookies are sent to the server and so I get the same session, instead of the expected behaviour of the browser deleting the cookies when closed.

Can anybody shed any light on this?


In response to Sean.

Response cookies returned on initial request to are:

Set Cookie CFID=123456;; Expires=Fri, 07-Feb-2014 15:12:33 GMT; Path=/sub; HttpOnly

Set Cookie CFTOKEN=2cf168a89952feec%2D4DAC5903%2D1DD8%2DB71C%2D3B0166C2FDAF5D6B;; Expires=Fri, 07-Feb-2014 15:12:33 GMT; Path=/sub; HttpOnly

Subsequent requests to any other page (any page at the same level or deeper than the /sub directory) or the same page (i.e. refreshing the page) send the following request cookie string:

CFID=191297; CFTOKEN=2cf168a89952feec%2D4DAC5903%2D1DD8%2DB71C%2D0B0166C2FDAF5D6D; ASP.NET_SessionId=s43bplyduc0hkgintth4gcqh

By subsequent requests, do you mean you refresh or are you going to other pages? If other pages, it might depend on what the value of the path and domain arguments you are using. Instead of showing us variables, can you just put the actual values you are using and the paths to the pages you are requesting from the server?
@SeanCoyne please see my edits
OK, those are the headers sent. So, the first couple are setting the cookies. The subsequent ones are the cookies being loaded by the browser. If the domain and path didn't match (which you said that they do) then the browser wouldn't send them, but it is sending them so, it is functioning as it should. As an aside, you will probably have better luck with your sessions if you use J2EE sessions, which will set a jsessionid cookie instead of the cfid and cftoken cookies. Not sure exactly what your use case is but I always use J2EE sessions, FWIW.

Other Answer1

It's a CF10 bug, fixed, but not available.