I am noticing strange behaviour with my ColdFusion session cookies whereby the domain, path and httponly attributes are not retained.
In my application.cfc file I have this.setclientcookies set to false.
In my onSessionStart event I then have the following code:
<cfset sessionRotate()>
<cfcookie name="CFID" value="#session.cfid#" path="#application.sessioncookiespath#" domain="#application.sessioncookiesdomain#" httponly="yes">
<cfcookie name="CFTOKEN" value="#session.cftoken#" path="#application.sessioncookiespath#" domain="#application.sessioncookiesdomain#" httponly="yes">
The first time I visit a page the CFID and CFTOKEN cookies get sent to the browser with the correct values, domains, paths expiry dates etc.
But when viewing the request cookies for subsequent requests everything but the value of the cookie has been lost.
If I then close the browser, reopen it and go to a page the same cookies are sent to the server and so I get the same session, instead of the expected behaviour of the browser deleting the cookies when closed.
Can anybody shed any light on this?
Thanks.
In response to Sean.
Response cookies returned on initial request to www.domainname.com/sub are:
Set Cookie CFID=123456; Domain=.domainname.com; Expires=Fri, 07-Feb-2014 15:12:33 GMT; Path=/sub; HttpOnly
Set Cookie CFTOKEN=2cf168a89952feec%2D4DAC5903%2D1DD8%2DB71C%2D3B0166C2FDAF5D6B; Domain=.domainname.com; Expires=Fri, 07-Feb-2014 15:12:33 GMT; Path=/sub; HttpOnly
Subsequent requests to any other page (any page at the same level or deeper than the /sub directory) or the same page (i.e. refreshing the page) send the following request cookie string:
CFID=191297; CFTOKEN=2cf168a89952feec%2D4DAC5903%2D1DD8%2DB71C%2D0B0166C2FDAF5D6D; ASP.NET_SessionId=s43bplyduc0hkgintth4gcqh
