We have recently updated to Lucee 5.3.2.77. cfcookie is using UTC instead of GMT which breaks inter-operability with the .net HttpWebRequest.CookieContainer.
I have seen a discussion with MS engineers (circa 2018) where they discussed accepting UTC as well as GMT in Expires etc but they were of the opinion that somewhere the RFC’s are explicit in that only GMT is acceptable.
I looked through RFC 7234 and 6265 and didn’t see any specific notation to the effect that UTC wasn’t acceptable though all examples are given in GMT. They had referenced an older RFC as definitive but I’ve been unable find the conversation again. I don’t know if this should be considered a bug or just something for people to be aware of.
Just a heads up - we’ve run into this during our production Lucee 4.5 to Lucee 5.3 upgrade. Our external Azure AppInsights availability tests (and Visual Studio Web Tests) were all failing to login to our application while normal browsers didn’t care. I dug into this for several hours until discovering the different UTC from GMT changes in our cookie values.
I have temporarily remediated this with URL rewrite rules in IIS, but that adds overhead to every request. Rule syntax added at the end of this post in case it helps others…
It would be interesting to see if the Set-Cookie header function could be updated to send GMT in this case. I’ve tried passing a GMT timezone default to Tomcat via parameter but that had no effect on this.
I think the key is RFC 6265 and Microsoft’s strict interpretation of it. It’s hard to tell them they’re wrong based on the wording of the RFC, and while we haven’t seen client impact due to this, others surely had the same issues with UTC vs. GMT and interop with MSFT tools.
Thanks in advance - this post helped solve the issue. Add into the system.webServer node of your web.config.