Reputation: 7833
How to overwrite CFID/CFTOKEN in ColdFusion 10?
In order to logout an user, I always used the following lines:
<cfset structClear(SESSION)>
<cfcookie name="CFID" value="" expires="NOW">
<cfcookie name="CFTOKEN" value="" expires="NOW">
It clears the data kept in the session on runtime and resets/renews CFID and CFTOKEN.
It does still work on our old server (ColdFusion 8), but it does no longer work on our new server (ColdFusion 10). The reason this attempt fails in ColdFusion 10 is rather simple: Whenever I try to overwrite CFID or CFTOKEN (with <cfcookie>), the cookie is placed on the top domain, e.g.:
Cookie set via <cfcookie> on ColdFusion 10:
domain: .myserver.com
while ColdFusion places its session cookies on the actual (sub)domain:
Generated CFID/CFTOKEN by ColdFusion 10:
domain: mywebsite.myserver.com
The funny thing is: If I set something like:
<cfcookie name="TEST" value="..." expires="NEVER">
the cookie is correctly set with:
domain: mywebsite.myserver.com
And I can easily clear the cookie using:
<cfcookie name="TEST" value="" expires="NOW">
I tried to use the domain property, but this:
<cfcookie name="CFID" value="" domain="mywebsite.myserver.com" expires="NOW">
always ends up as:
domain: .mywebsite.myserver.com
(notice the dot in front) and thus is not recognized as the same cookie.
Another strange thing is, that using:
<cfcookie name="CFID" value="" expires="NOW">
will not just generate a cookie with the wrong domain, but is kept instead of deleted as expired.
I checked the server settings for cookies on the ColdFusion 10 machine and the property Disable updating ColdFusion internal cookies using ColdFusion tags/functions is not checked.
Can anyone help me with this strange case?
Upvotes: 4
Views: 2848
Answers (2)
Reputation: 13548
There has already been some in depth discussion about the behavior of <cfcookie> related to domains. The following posts mention that the workaround seems to be using <cfheader> to work with the cookies:
why doesn't cfcookie allow setting domain= to a subdomain for CFID/CFTOKEN?
After posting that question Henry actually entered a bug with Adobe on it:
https://bugbase.adobe.com/index.cfm?event=bug&id=3593673
You can add your comments/vote to the bug.
While I believe these references answer your questions regarding the <cfcookie> behavior that you are seeing, if you are only concerned with "expiring" the user's session then Scott's answer gives you a better way to invalidate the user's current session than manually setting the cookies.
Upvotes: 7
Reputation: 7519
In ColdFusion 10, you can use sessionInvalidate() to accomplish this. You will not need to worry about removing the cookies either.
Upvotes: 7
Related Questions
- ColdFusion: session variables not sticking in website migrated from CF 8 to CF 10
- ColdFusion: CFID and CFToken change on each page request
- CFToken / CFID in Coldfusion 11
- ColdFusion 10 Cookie Issue: Unable to set a Cookie
- Coldfusion cookie login
- coldfusion - managing cookies and log-in issue
- Using Coldfusion sessions without cookies
- What is the most effective way to reset ColdFusion session variables (CFTOKEN, CFID, JSESSIONID)?
- Session Cookies and Application.cfm
- Coldfusion Session Cookie