Why are cookie names created all in uppercase?

[Mattijs Spierings]

Hi,

I am getting a bit annoyed with coldfusion right now, especially the case insensitivity.

I have been doing a lot of isomorphic JS, but with this current project I am knotting together JS frontend to CFML backend.

Creating a new cookie, automatically sets the cookiename in Uppercase. 

Why would you do that? Why not let the developer decide the case. Now I have to make changes in my JS because Lucee (and Railo and ACFML) doesnt allow you to decide the casing.

Another occurrence where casing is an issue is when you create a struct and add a key with dot notation. The key will then be converted to uppercase too.

So:

var aStruct = {};
aStruct.someKey=1;

If you dump aStruct it will tell you its key is ASTRUCT=1.

Only when you define it like 

aStruct[ 'someKey' ] = 1;

does it stay in the same form.

Is this something that is very hard to change?

[Mattijs Spierings]

So do I really need to set a cookie by writing a header instead of using the convenience function cookie, if I want it in lowercase?

[Mattijs Spierings]

Okay, I already found an option in the Lucee Admin about dot notation. That is great. New feature I didn't have in Railo at the time.

On Tuesday, 3 November 2015 15:04:25 UTC+11, Mattijs Spierings wrote:

[Denard Springle]

On Monday, November 2, 2015 at 11:08:47 PM UTC-5, Mattijs Spierings wrote:

So do I really need to set a cookie by writing a header instead of using the convenience function cookie, if I want it in lowercase?

Short answer... yes and no. I tend to use headers anyway for cookies because I find the syntax more concise, but that's just a personal preference. Cookies are, for all intents and purposes, a struct, so same rules apply (e.g. cookie['caseSensistive'] would achieve the same thing as struct['caseSensitive']. I'm not sure about the admin dot notation affecting the cookie scoped variables... I don't use that option for case sensitivity because I want my applications to remain portable across engines, so I use the struct]'caseSensitive'] format when I need it to be case sensitive, and as I already said I use headers to set cookies, ala:

getPageContext().getResponse().addHeader("Set-Cookie", "__caseSensitiveName=myValue#;path=/;domain=.#CGI.HTTP_HOST#;HTTPOnly");

Now on to a more important topic... are you trying to access CFML cookies from a JavaScript front-end? Are you aware that this provides an excellent attack surface for hackers to exploit? Cookies should always be httpOnly, and should prevent JavaScript from accessing them. Depending on what you're trying to accomplish  there are different ways to maintain state between front and back-end, but generally speaking you should avoid tightly coupling your front and back-end code.

-- Denny

[Mattijs Spierings]

Hi Denny,

when I create a cookie with the `Cookie` function, it is always uppercase (says the docs and my personal experience).

I create my cookie like:

cookie name="#Arguments.name#" value="#cookieValue#" expires="#GetHttpTimeString( expiry )#" path="#Arguments.path#";

Could use the header, however I made my JS cookies uppercase.

Concerning your other remark. Don't worry, I am working on a project where users are joining a treasure hunt and their initial cookie is created in JS with their (game) session information. In coldfusion I enrich this cookie with some more info so for JS to be albe to use the enriched the casing is very important. 

I don't see how hacker could exploit this by adding extra data in the cookie which wouldn't be used by the CFML service anyway. oh and after CFML writes the cookie is is encrypted anyway. JS only needs to know that the cookie still exists and only uses it expiry date.

So I don't see any weaknesses right now.

Cheers

[Denard Springle]

Could use the header, however I made my JS cookies uppercase.

Also a viable solution :)

 

So I don't see any weaknesses right now.

Roger that, figured I'd mention it just in case you were building a state engine, but sounds like you've got a handle on it.

-- Denny 

[Mattijs Spierings]

Thanks buddy,

always good to get some critical answers on any coding.

I reckon I should have someone audit my code when I am done. Hard to come up with solutions all by your self.