I was updating our application to support httponly cookies and came across what
seems like a ColdFusion quirk. I had to update a bunch of pages where we used
to set cookies using cfcookie tag, so I went ahead and created a custom tag
that all templates can use to set a cookie. Since CF8's cfcookie does not
support httponly flag (CF9 does), I used cfheader to set the cookie in the
custom tag and here is what I found.
When you use the cfcookie tag to set the cookie, coldfusion populates the
cookie struct right away. But if you use cfheader instead to set the cookie, I
believe coldfusion does not populate the cookie struct until the next request.
I spent a couple of days chasing this issue and trying workarounds for it
without success. So, the only thing left to do was to do a relocate to the same
template the first time the cookie is set using cfheader so that coldfusion
populates the cookie struct. (Manipulating the cookie struct is out of the
question since that messes up the cookies.)
Here is a test case to prove this:
<cfif not isDefined("cookie.cfheaderTest")>
<cfheader name="Set-Cookie" value="cfheaderTest=1;secure;httponly"/>
</cfif>
<cfif not isDefined("cookie.cfcookieTest")>
<cfcookie name="cfcookieTest" value="1" secure="true"/>
</cfif>
<cfdump var="#cookie#">
On the first page load, the cfdump will only have the cfcookietest cookie in
the cookie struct. Only on the second request will the cfheadertest cookie be
present in the cookie struct. Hope this helps others who are facing the same
issue. Please reply/comment if there is a better way to handle this. Thanks.
-Jawad
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:339436
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
