Login for more options
CF10 writes CFID and CFToken cookies incorrectly, causing session problems (fatal for CF9) for all other instances in domain
Problem Description: CF10 is writing CFID and CFToken cookies as DOMAIN cookies, and (apparently) ignoring the 'SetClientCookies' attribute on CFApplication. Net result is CFID/CFToken pair global to the entire domain, leading to session loss if any other CF instance (anywhere in the entire domain) is accessed. In combination with another bug found in both CF9 and CF10 (also submitted by me, number not available because it was reported as a 'security' bug), if the CF10 instance creates the first cookie for a given user, that user will not be able to establish a session with any other CF9 instance in the domain.
Steps to Reproduce:
set up the configuration described below
browse to the CF10 instance at http://red.test.xyz:8010/test/test.cfm
> view cookies in firebug
>>>> - observe that the CFID/CFToken cookies have the domain '.test.xyz' - 'red.test.xyz' is expected
>>>> - also observe that the cookies are NOT session cookies, as they should be (according to the CFCookie attributes)
For worst-case scenario...
now browse to the CF9 instance at http://green.test.xyz.8009/test/test.cfm
>> observe that new CFID/CFToken values were created (this is expected - first hit to 'green'
>> view cookies - observe that there are now duplicate cookies for CFID/CFToken - one set for .test.xyz, one for green.test.xyz
reload this page...
>>> observe duplicate keys in CFDump output (this is the other issue I reported)
>> observe also that the CFID/CFToken values are NOT the same as the previous request - these will update *for every subsequent request*
domain-wide chaos >> NOTE - the 'adobe.com' domain is affected by this problem - as noted in other issue - if a user's first visit (since clearing cookies) is to a CF10 instance in adobe.com (so a .adobe.com CFID/CFToken pair exists in their cookie jar) and then attempts to access bugbase.adobe.com - infinite redirect [bugbase appears to not be upgraded to CF10 yet]
Expected Result: unique CFID/CFToken pairs maintained for each server name
Any Workarounds: adding '-Dcoldfusion.session.protectfixation=false' in jvm.config is a partial solution, but must be done for all CF instances in domain, resulting in substantial (and unacceptable) security risk
To see the bug itself, all you need is one CF10 instance and a site with session management enabled and a fully-qualified server name (test1.adobe.com).
For ease of viewing cookies, use either FireFox with FireBug installed... or Chrome
for the worst-case scenario, you will need at least one CF10 instance and at least one CF9 instance. For discussion, let's say these instances are on port 8009 (the CF9 instance) and 8010 (the CF10 instance)
Add the following entries to the 'hosts' file on the machine where your browser is running [update the IP address as appropriate so these aliases all point to the server where the CF instances are running]:
Place the following two files in an otherwise-empty directory ('test', for purposes of discussion) at the web root for each CF instance:
<cfset sessionTimeout = CreateTimeSpan(0,0,60,0)>
<CFAPPLICATION NAME="CommonSpot" SESSIONMANAGEMENT="Yes" SESSIONTIMEOUT="#sessionTimeout#" SetClientCookies="NO">
<cfcookie name="CFID" value="#Session.CFID#">
<cfcookie name="CFToken" value="#Session.CFToken#">
<CFOutput>hello, world<br /></CFOutput>
<cfcookie name="hello" value="hello cookie set at #Now()#">
foo = StructNew();
foo.name = "goodbye";
foo.value = "goodbye cookie set at #Now()#";
<cfdump var=#cookie# label="Cookie">
|Found In Build||Final|
|Fixed In Build|
11:12:03 PM GMT+00:00 Jan 31, 2014
Our users sessions are dropping
9:13:00 AM GMT+00:00 Jan 31, 2014
We're experiencing the same issue.
9:10:04 AM GMT+00:00 Jan 31, 2014
Losing precious time bec of this bug
Tariq Ahmed [ACP]
8:00:01 AM GMT+00:00 Jan 31, 2014
We're having similar issue where users suddenly lose their session.