CFID/cfid and CFTOKEN/cftoken cookies are not handled consistently if the application manages the cookies explicitly

Description

In our implementation, we initialize the application space with <cfapplication... setClientCookies="no"> and then use CFCookie to send the CFID and CFToken cookies so we can control the attributes. The cookies we set get the names CFID and CFTOKEN (all-upper-case).

If a user with no cookies goes to the Lucee administrator before they hit our application, Lucee generates 'cfid' and 'cftoken' cookies (all-lower-case names). If the user then browses to our application, additional CFID and CFTOKEN cookies are added. This duplication interfere with our sessions. The only work-around we've found is to manually clear the lower-case variants using the browser's debug tools

If the CFID and CFTOKEN cookies are created first, Lucee does not create the redundant cookies

Environment

Linux (CentOS 7), Java 8 and Java 11

Activity

Andreas R 
26 January 2023 at 22:21

we had a similar issue (see related issue/topic above) to find out about the cfcookie attribute “preserveCase”. We didn't know about that then. If set, the cookie will be named exactly as defined by you and not converted to upper case. After finding “preserveCase”, we asked the Lucee Core Devs to reject/close our ticket. The correct way to go is to just define the cookie name correctly with preserveCase=true..

Pothys - MitrahSoft 
17 December 2021 at 13:07

Did you see my above comment? Using preserveCase = true attribute in cfcookie solves your issue? Could you please check with that and report here back?

Pothys - MitrahSoft 
16 September 2021 at 07:06

this issue ( ) was solved by using preserveCase attribute in cfcookie . Could you please check with that and report here back?

Pothys - MitrahSoft 
20 November 2020 at 16:19

I've checked this ticket and confirmed the issue happened on lucee latest version 6.0.0.12-SNAPSHOT also. This issue was already confirmed in LDEV-2466. Yes In lucee create new cookies with case-sensitive instead of overwriting the cookie.

Tim Parker 
27 April 2020 at 18:26

The multiple/duplicate cookie setting isn’t a problem as long as the client overwrites the first instance with the second - but not all clients are case-insensitive with their cookie name handling. If Lucee’s internal cookie names for CFID/CFTOKEN were updated to all-upper-case so the names were exactly the same as the cookie names produced by CFCookie… the conflict would be resolved for most cases (again, except for clients that get confused by duplicate set-cookie headers)

Details

Assignee

Reporter

Priority

Labels

New Issue warning screen

Before you create a new Issue, please post to the mailing list first https://dev.lucee.org

Once the issue has been verified, one of the Lucee team will ask you to file an issue

Affects versions

Created 13 April 2020 at 20:24
Updated 26 January 2023 at 22:21