CF10 creating extra CFID/CFTOKEN cookies at the domain level
121 views
Skip to first unread message
hofar...@houseoffusion.com
Sep 11, 2014, 1:40:30 PM9/11/14
to ColdFusion Technical Talk
I am having a problem that from time to time CF10 creates a new pair of cookies at the domain level, specifically whitevalegolfcub.com
The application runs under www.whitevalegolfclub.com and the CFID and CFTOKEN cookies are created there, along with several of my own, at logon. But this spontaneous creation of the additional pair at the domain level overrides the sub-domain cookies and hides them from my application.
I have seen some postings that sound like others have had a similar problem but I have not heard of a fix for CF or a programming technique to stop it from happening and becoming a problem.
I'd sure appreciate some input on why they are being created or on how to stop the problem from occurring.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359285
hofar...@houseoffusion.com
Sep 11, 2014, 2:23:53 PM9/11/14
to ColdFusion Technical Talk
I notice that your site is reachable both through www.whitevalegolfclub.com and whitevalegolfclub.com.
I had the same problem with one of my sites.
It looks like two different cookies are created, one for www.whitevalegolfclub.com and the otheone for whitevalegolfclub.com
and this this goofs CF.
When looking for session cookies, CF does not recognizes one of its sessions and creates a new one every time.
I got rid of the access to the site without www and it solved the problem.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
hofar...@houseoffusion.com
Oct 1, 2014, 10:53:09 PM10/1/14
to ColdFusion Technical Talk
I did what you suggested and thought that the problem had gone away. I was successful in getting any traffic to move to the www prefixed name but that didn't solve the cookie problem. I am having trouble creating the failure but I am still seeing duplicate cookies with the same CFID and CFTOKEN values. I would really like to eliminate these as I believe they are part of the problem I am trying to solve.
What can cause CF10 to store duplicate cookies, one under the www subdomain and one at the higher level?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
hofar...@houseoffusion.com
Oct 2, 2014, 12:48:53 AM10/2/14
to ColdFusion Technical Talk
If your Application has setclientcookies=yes, which is the default, a
cookie/session will be created for each host used by the client to access
the site.
So domain.com,www.domain.com, 127.0.0.1, could all be the same physical web
site, but would have 3 different cookies and sessions generated.
You mentioned you setup a redirect to www. If the redirect is done via
cflocation, then you would still see 2 CF cookies at the client, since the
client actually is hitting both host names. A web server redirect would
resolve this, so the client never really gets to domain.com as a CF
request, hence no cfid/cftoken cookie.
Another common issue I have seen is a login session occurring under www,
but somewhere in the application a link goes to the non www host, which
could result in a dropped session/login depending on how things are coded.
Byron Mann
Lead Engineer & Architect
HostMySite.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
hofar...@houseoffusion.com
Oct 2, 2014, 8:50:22 AM10/2/14
to ColdFusion Technical Talk
Some more info:
- I have not issued a setclientcookies=yes so assuming that is the default it should be there.
- the redirect is via an htaccess file which says
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]
- I think the redirect is not relevant because I am doing the testing and I am only using www.
- Multiple browsers have shown up with the duplicate cookies and the duplication seems to occur after a logon (using my own app code). I don't use any specific URLs ... all are relative based on the domain.
Any other thoughts on what is causing it?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
hofar...@houseoffusion.com
Oct 20, 2014, 9:53:01 PM10/20/14
to ColdFusion Technical Talk
For anyone who stumbles across this post, I thought I should add the closure as I now understand it.
First of all, the duplicate CFID and CFTOKEN was not the problem I thought it was. It confused matters, but it seems that most browsers can tolerate it, even though it makes no sense to me.
I eventually found that browsers were losing the CFID/CFTOKEN values and as a result could not locate the session variables and that is what caused the problem. And for the most part it happened in IE, but was not consistent. Some IE11 systems failed all the time while others were sporadic and some ran fine.
I found a couple of postings that said for security reasons you should now use J2EE Session Variables on the ColdFusion Administrator Memory Variables page and that would improve security and mean that CFID/CFTOKEN were no longer used so I tried it. And it worked. My ISP had not set that value but as soon as they did, everything worked perfectly again.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
hofar...@houseoffusion.com
Oct 20, 2014, 11:31:41 PM10/20/14
to ColdFusion Technical Talk
>>I eventually found that browsers were losing the CFID/CFTOKEN values and as a result could not locate the session variables
Session variables are managed by ColdFusion.
IMO the problem is that when CF receives TWO CFID/CFTOKEN values from ONE cookie, it does not recognize it as a valid CFID/CFTOKEN.
It will then create a new session and loose the whole previous session variables.
This new session will replace only one of the two values in the cookie and the problem continues.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
hofar...@houseoffusion.com
Oct 23, 2014, 3:37:37 PM10/23/14
to ColdFusion Technical Talk
I went thru this special brand of misery back in March of this year. Here
is the thread:
http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:64982
There's a lot more in that thread than here as to potential causes of this
problem.
--
--m@Robertson--
Janitor, The Robertson Team
mysecretbase.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Reply all
Reply to author
Forward
0 new messages