RE: [ACFUG Discuss] cfcookie with the domain attribute
Thanks Howard and Charlie! Like you said, I thought cookies were only available to the domain that set them. The way I read it, the CF documentation is misleading: Domain Domain in which cookie is valid and to which cookie content can be sent from the user's system. By default, the cookie is only available to the server that set it. Use this attribute to make the cookie available to other servers. I originally planned on using URL parameters, but had a problem with that approach. Thanks for the clarification! Clarke -Original Message- From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of Charlie Arehart Sent: Wednesday, June 24, 2009 9:12 PM To: discussion@acfug.org Subject: RE: [ACFUG Discuss] cfcookie with the domain attribute Yeah, adding to what Howard noted, the DOMAIN attribute isn't there for the reason you're using it. It's instead for controlling use of cookies on that single domain that's setting the cookie, but controlling whether and how it works for any subdomains under it. You can't simply name another domain (that's not the one setting it) and hope that it can be read by that other domain. This really goes to an old and fundamental security feature built into cookies. The designers specifically didn't WANT visitors to Server A to have a cookie set there which would be read when the request got to Server B. That could be abused by those wanting to track visits. Of course, there have been many ways that people have gotten around that. I guess if you really wanted to do it with cookies (rather than the URL parms Howard recommends), you can pursue those alternatives. Just think like (or search how to act like) a hacker. :-) /charlie PS Hey Howard, if you're reading this, can you see if you got an email from me, direct to you yesterday? -Original Message- From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of Howard Fore Sent: Wednesday, June 24, 2009 7:13 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] cfcookie with the domain attribute Clark, Cookies can only be set and read by a single domain. If you want to pass the data to a second site, I'd suggest URL parameters. - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com - - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -
Re: [ACFUG Discuss] cfcookie with the domain attribute
I guess when they say other servers they really mean other servers in the same domain. -- Howard Fore, howard.f...@hofo.com The universe tends toward maximum irony. Don't push it. - Jeff Atwood On Thu, Jun 25, 2009 at 6:51 AM, Clarke Bishop cbis...@resultantsys.comwrote: Thanks Howard and Charlie! Like you said, I thought cookies were only available to the domain that set them. The way I read it, the CF documentation is misleading: *Domain* Domain in which cookie is valid and to which cookie content can be sent from the user's system. *By default, the cookie is only available to the server that set it. Use this attribute to make the cookie available to other servers.* I originally planned on using URL parameters, but had a problem with that approach. Thanks for the clarification! Clarke
RE: [ACFUG Discuss] cfcookie with the domain attribute
Yes, and Clarke, I would highly recommend you drop a feedback into the livedocs on that (the CF8 ones, not 7 or 6, as I don't know that they go back and review those for ideas, though they should, since some find them while doing searches.) /charlie From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of Howard Fore Sent: Thursday, June 25, 2009 7:03 AM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] cfcookie with the domain attribute I guess when they say other servers they really mean other servers in the same domain. -- Howard Fore, howard.f...@hofo.com The universe tends toward maximum irony. Don't push it. - Jeff Atwood On Thu, Jun 25, 2009 at 6:51 AM, Clarke Bishop cbis...@resultantsys.com wrote: Thanks Howard and Charlie! Like you said, I thought cookies were only available to the domain that set them. The way I read it, the CF documentation is misleading: Domain Domain in which cookie is valid and to which cookie content can be sent from the user's system. By default, the cookie is only available to the server that set it. Use this attribute to make the cookie available to other servers. I originally planned on using URL parameters, but had a problem with that approach. Thanks for the clarification! Clarke - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -
[ACFUG Discuss] cfcookie with the domain attribute
I am trying to pass a cookie from my site into a shopping cart on another site. It seems like this would be possible: 1. Use cfcookie name = myCookie value = #myCookieVal# expires = 30 domain=.myDomain.com 2. Do a cflocation to the other server 3. Then, read the cookie with Javascript once the browser goes to myDomain.com I'm also setting the cookie without the domain attribute so I can see it on my server. On my server, I can read the cookie, so I know it's getting set. But, I can't read the cookie from the other server. I'm using a Javascript alert to dump out the entire document.cookie string, and my cookie is not there! The other server is secure (https). Any ideas what might be going on? Am I mis-using cfcookie? Thanks for your help! Clarke - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -
Re: [ACFUG Discuss] cfcookie with the domain attribute
Clark, Cookies can only be set and read by a single domain. If you want to pass the data to a second site, I'd suggest URL parameters. On Wednesday, June 24, 2009, Clarke Bishop cbis...@resultantsys.com wrote: I am trying to pass a cookie from my site into a shopping cart on another site. It seems like this would be possible: 1. Use cfcookie name = myCookie value = #myCookieVal# expires = 30 domain=.myDomain.com 2. Do a cflocation to the other server 3. Then, read the cookie with Javascript once the browser goes to myDomain.com I’m also setting the cookie without the domain attribute so I can see it on my server. On my server, I can read the cookie, so I know it’s getting set. But, I can’t read the cookie from the other server. I’m using a Javascript alert to dump out the entire document.cookie string, and my cookie is not there! The other server is secure (https). Any ideas what might be going on? Am I mis-using cfcookie? Thanks for your help! Clarke - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink http://www.fusionlink.com - -- -- Howard Fore, howard.f...@hofo.com The universe tends toward maximum irony. Don't push it. - Jeff Atwood - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -
RE: [ACFUG Discuss] cfcookie with the domain attribute
Yeah, adding to what Howard noted, the DOMAIN attribute isn't there for the reason you're using it. It's instead for controlling use of cookies on that single domain that's setting the cookie, but controlling whether and how it works for any subdomains under it. You can't simply name another domain (that's not the one setting it) and hope that it can be read by that other domain. This really goes to an old and fundamental security feature built into cookies. The designers specifically didn't WANT visitors to Server A to have a cookie set there which would be read when the request got to Server B. That could be abused by those wanting to track visits. Of course, there have been many ways that people have gotten around that. I guess if you really wanted to do it with cookies (rather than the URL parms Howard recommends), you can pursue those alternatives. Just think like (or search how to act like) a hacker. :-) /charlie PS Hey Howard, if you're reading this, can you see if you got an email from me, direct to you yesterday? -Original Message- From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of Howard Fore Sent: Wednesday, June 24, 2009 7:13 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] cfcookie with the domain attribute Clark, Cookies can only be set and read by a single domain. If you want to pass the data to a second site, I'd suggest URL parameters. - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -