I was updating our application to support httponly cookies and came across what seems like a ColdFusion quirk. I had to update a bunch of pages where we used to set cookies using cfcookie tag, so I went ahead and created a custom tag that all templates can use to set a cookie. Since CF8's cfcookie does not support httponly flag (CF9 does), I used cfheader to set the cookie in the custom tag and here is what I found.
When you use the cfcookie tag to set the cookie, coldfusion populates the cookie struct right away. But if you use cfheader instead to set the cookie, I believe coldfusion does not populate the cookie struct until the next request. I spent a couple of days chasing this issue and trying workarounds for it without success. So, the only thing left to do was to do a relocate to the same template the first time the cookie is set using cfheader so that coldfusion populates the cookie struct. (Manipulating the cookie struct is out of the question since that messes up the cookies.) Here is a test case to prove this: <cfif not isDefined("cookie.cfheaderTest")> <cfheader name="Set-Cookie" value="cfheaderTest=1;secure;httponly"/> </cfif> <cfif not isDefined("cookie.cfcookieTest")> <cfcookie name="cfcookieTest" value="1" secure="true"/> </cfif> <cfdump var="#cookie#"> On the first page load, the cfdump will only have the cfcookietest cookie in the cookie struct. Only on the second request will the cfheadertest cookie be present in the cookie struct. Hope this helps others who are facing the same issue. Please reply/comment if there is a better way to handle this. Thanks. -Jawad ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:339436 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm