CF-4057613

Title

CFID & CFTOKEN include "hash" prefix this is not compatible with previous versions

Description

Related Bugs: CF-4107152 - Similar to Problem Description: CF11 (and at least some recent updates to CF10) include some kind of "hash" prefix in front of the values of the CFID & CFTOKEN cookies. As far as I can tell, this change is not documented and cannot be disabled. This change breaks session sharing between servers running different of CF and it seems to break things when the host name and/or cfapplication name changes. (Our testing did not nail this down.) I would have expected a change like this to be 1) documented and 2) able to be disabled via a jvm.config argument Steps to Reproduce: Hit a CF11 site that is not using "Use UUID for cftoken" Actual Result: CFID=Z4iqyj5ekgtiqnnaafjwnjfv918npvjndfx6r17xcvr0lrdc1ny-13223 Expected Result: CFID=13223 Any Workarounds: ----------------------------- Additional Watson Details ----------------------------- Watson Bug ID: 4057613 External Customer Info: External Company: External Customer Name: Mark Gaulin External Customer Email:

This new behavior may be fantastic for most people, and one day I may be ready to use this too, but this feature needs be configurable so that new CF10 updates are safe for us to apply.

Comment by External U.

09/16/2015 08:42:12 GMT

FYI, my latest testing seems to indicate that the "hash" is based on the domain string that would be used if "set domain cookies" is enabled. It also looks like this hash is not included if set domain cookies is not enabled. If true, I would consider this to be good news for multi-server sites that want to share CF session cookies, but I would really love to see documentation that confirmed this to be the case, and that Adobe was committed to supporting that behavior officially. (I would still very much like to be able to disable this feature on a per-instance basis to allow us to roll CF updates across our web site clusters in a controlled manner.)

Comment by External U.

09/18/2015 15:05:18 GMT

Added a new JVM Argument coldfusion.cookie.prefixdomainhash and setting this argument value to false will disable the hash prefix. As Mark said this hash prefix enables us to share CF session cookies across multi-server sites (multiple sub domains) we will get this documented as well. And the JVM argument support will be available in the next update of CF10/11. Thanks, Pavan.

Comment by S V.

01/04/2016 05:42:50 GMT

Hi Adobe, I've verified this is fixed in CF2016 Update 1 (build 2016.0.01.298513). Thanks!, -Aaron

Comment by Aaron N.

08/05/2017 21:09:20 GMT

Status:

Closed

Details

Date Created:

09/16/2015

Component:

Core Runtime

Version:

Gold Master

Failure Type

Data Loss

Found In Build:

CF11_Final

Fixed In Build:

Priority:

Normal

Frequency:

Some users will encounter

System:

Win 2008 Server

Browser:

Resolution

Fixed

Reason Code:

Votes:

1

Vote Comments:

Same behaviour in CF 10 Update 18

Comment by External U.

11/30/2015 10:09:31 GMT
FAQ
Terms of Use
Online Privacy Policy

Copyright © 2017 Adobe Systems Incorporated. All rights reserved.