CFID/CFTOKEN cookie case

[Dave Merrill]

I often work on multiple CFML engine instances on the same server at the same time, particularly when checking a behavior difference between engines. If I'm on an ACF site, then hit a Lucee site in the same browser, I run into problems with the app's authentication, in at least two different apps. The details are specific to those implementations, but at the root of it, they're caused by the fact that Lucee creates its CFIF and CFTOKEN cookies with all lowercase names, while ACF uses uppercase. The result is that cookies with both cases exist. Deleting the lowercase versions fixes the problem. I noticed this in Railo for a long time too, never spoke up about it.

Is this difference intentional, to solve a problem I'm not are of?

If not, I'd suggest matching ACF to avoid this hassle.

Thanks.

[Adam Cameron]

I work around this in dev by having different domain names for each instance / type. EG: lucee.local, cf11.local, cf10.local, etc. I get that this is not always possible.

--
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/9a5af410-dbce-49ab-9b4e-5d13e4192a7e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Dave Merrill]

Sure, that's a workaround, and a valid scenario you might want to try, but so is different ports, which is what I typically do. Other people can hit them then too, without any setup.

Just curious if this is an oversight or on purpose.

Dave

[Adam Cameron]

Different ports won't help your cookie situation though.Cookies are domain-based.

[Dave Merrill]

Understood, different ports is where I see the problem. I just meant that's how I access these different instances on the same box, as opposed to different domains.

Dave

[Igal Sapir]

We discovered this issue back in Railo and fixed it there, but a far better solution would be to allow to configure the cookie names.

Then you can call your cookie whatever you want and hide the fact that it's a Lucee server.

Cftoken is always 0 and should be removed from the cookies, allowing to check for cookie.cftoken and the likes without an error.

--
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/5ab5e099-6cb9-4523-974f-9c78803c1656%40googlegroups.com.