1

We are using ColdFusion 9.0.1 and are beginning to notice that with IE we will get two sets of session cookies (CFID, CFTOKEN, JSESSIONID) if we hit a subdomain followed by a root domain (e.g. www.example.com example.com)

ColdFusion seems to be able to successfully manage this fact and properly match the session with the proper session variables.

I'm looking to understand how ColdFusion/JRUN handle session variable mapping. I know that it the application name is part of the equation but what happens when there is more than one JSESSIONID cookie. How does it decide which one is right?

Tom Hubbard
  • 15,820
  • 14
  • 59
  • 86

1 Answers1

0

Cookies are domain specific by default, so that cookies created on www.foo.com won't carry over to foo.com. In your Application.cfc you need to set the setdomaincookies value to true, like so:

<cfapplication name="myapp" setdomaincookies="true" />

Or if you're writing it in cfscript:

this.setdomaincookies = true;

That will set your session cookies to be part of *.foo.com, and they'll carry from one subdomain to another without issue.

Dan Short
  • 9,598
  • 2
  • 28
  • 53
  • We actually would like for the domains to be separate. Unfortunately it appears that IE will not allow that. So, I'm trying to understand how the sessions are calculated to make sure there will be no conflicts. – Tom Hubbard Feb 20 '13 at 13:38
  • In that case it will just use the cookie for the current domain to pick up the right session id. – Dan Short Feb 20 '13 at 13:48
  • One would think. However, IE will send both cookies with every request (JSESSIONID does not have a domain) so ColdFusion is somehow managing to use the correct one. – Tom Hubbard Feb 20 '13 at 13:51
  • 1
    Do you have a simple test case that shows the behavior? If CF is getting both of the cookie values, but picking up the correct one, then it must be checking the domain value on the receiving end. Definitely odd that IE is sending back both cookies... That's not what I would expect, though I'm not IE or Cookie expert. – Dan Short Feb 20 '13 at 14:23
  • The simplest example I can find is to open an IE (I'm using 9) browser with the debugging tools open and Network Capturing turned on. If you hit http://www.raymondcamden.com/ you will get one set of tokens. Hitting http://raymondcamden.com/ will give you a different set. Going back to the www link will sent both sets of tokens. – Tom Hubbard Feb 20 '13 at 14:42
  • Note that, by design http://goo.gl/4ori5, IE will pass all cookies of a domain to all sub domains. The problem is that starting at the sub domain gives one set of cookies and then going to the root domain gives another set. After that the sub domain sends both sets. – Tom Hubbard Feb 20 '13 at 15:17
  • Gotcha. In that case you should be able to dump the cookie scope and check your `Session.CFToken` and `Session.CFID` to see which one is getting picked up. In ColdFusion 10, you can just dump the `cookie` and `session` scopes to see how they match up. – Dan Short Feb 20 '13 at 18:09
  • A coworker of mine filed a bug with IE about related behavior. See https://connect.microsoft.com/IE/feedback/details/788514/internet-explorer-cookie-domain-and-subdomain-overlap Maybe you don't consider this behavior a bug but if you do please click the "I can reproduce this too" link on the above page. – Jonathan Wilson May 23 '13 at 17:49