Cookies being set twice when using cfcookie-tag

Hi to all,

because of GDPR (european privacy regulation) I am experimenting and having a good time with lucee and cookies, setting session cookies after consent only and so on. Then I noticed that cookies with cftoken and cfid are being created twice (when using cfcookie): one with upper and another with lowercase. Causes some strange behaviour, because functions like session.rotate() may affect different sessions then. Here I will explain it in detail:

Please try the following in a webroot:

<!--- Application.cfc --->
<cfcomponent displayname="Application" output="false" hint="Handle the applications">
	<cfset THIS.Name = "cookietest" />
	<cfset THIS.SessionManagement = true />
	<cfset THIS.SetClientCookies = false />
	<cfset this.sessiontimeout="#createTimeSpan(0,0,59,0)#">

	<cfsetting requesttimeout="20" showdebugoutput="false" enablecfoutputonly="false" />
	
	<cffunction name="OnApplicationStart" access="public" returntype="boolean" 
			output="false" hint="Fires when the application is first created.">
		<cfreturn true />
	</cffunction>
    


	<cffunction name="onRequest">
		
		<cfset LOCAL.PATH_INFO=CGI.SCRIPT_NAME & CGI.PATH_INFO>

		<cfargument name="targetPage" type="String" required=true/>
		<!--- STRIP Generated WhiteSpace from CF-Buffer --->
		<cfcontent reset="true"><cfinclude template="#Arguments.targetPage#"><cfreturn />
		
	</cffunction>
	
	<cffunction name="onRequestEnd">
		
	</cffunction>
</cfcomponent>

and:

<!--- cookietest.cfm --->
<!DOCTYPE html>
<html>
<body>
<cfoutput>
	<a href="#LOCAL.PATH_INFO#?resetcookies=1">Reset cookies</a>
	<a href="#LOCAL.PATH_INFO#">just refresh</a>
	
	<cfif not isdefined("session.counter")>
		<cfset 	session.counter=0>
	<cfelse>
		<cfset 	session.counter=session.counter+1>
	</cfif>
	<cfif isDefined("session.counter")>
		<cfdump var="#session#">
	</cfif>
	<cfif isDefined("cookies")>
		<cfdump var="#cookies#">
	</cfif>

</cfoutput>
<cfif isDefined("url.resetcookies")>
	Cookies reset!
	<cfset sessionRotate()>
	<cfcookie name="cfid" value="#SESSION.CFID#" httpOnly="true">
	<cfcookie name="cftoken" value="#SESSION.CFTOKEN#" httpOnly="true">
</cfif>
</body>
</html>

Steps to reproduce:

  1. Go to the login-page of lucess server-admin without logging in
  2. Delete all browser cookies and refresh the page to see all new created cookies. There will be a set of new created cookies, set with the name name “cftoken” and “cfid” (both names are lowercase).
  3. Go to the page cookietest.cfm
  4. Click various times the “just refresh” link. The cookies will keep the session.
  5. Now click on “reset cookies”. This will cause a new cookie to be set, but this will happen with UPPERCASE. This will create an additional pair of cookies instead of overwriting or updating.

The real issues comes in when using the session.rotate() function inside of cookietest.cfm. If you comment it out, the cfcookie tag will create new cookies with the exact same values for cfid. When you do the session.rotate() it will only affect the session of the cookie with the uppercase names. Creating cookies with 'cfcookies name="#lcase(cfid)#" won’t change anything because cfcookie always create variable names in uppercase.

I would expect just overwriting the old cookies, keeping it lowercase, or having upper case created everywhere (that means also in the lucees server/web-admin should always be created UPPERCASE).

Here is my config of the Express Version:

System Information

Version Lucee 5.3.2.77


Version Name Gelert
Release date May 27, 2019 Remote IP 0:0:0:0:0:0:0:1


Servlet Container Apache Tomcat/9.0.11
Java 1.8.0_202 (Azul Systems, Inc.) 64bit
Host Name localhost
OS Windows 10 (10.0) 64bit
Architecture 64bit

Thanks!!!

there’s an existing bug about this https://luceeserver.atlassian.net/browse/LDEV-1105

Thanks Zac, didn’t know about that and that it would affect security. To me it just looked like cookies being created twice, thus session varibles being lost.

Andreas:
Not sure if this would be helpful.
We have released a cookie life-cycle manager that handles all the getting consent and setting cookies parts so you don’t make mistakes.
It has examples for behavior, localized in a few languages, and open source.

Hi Bilal, by now I did all cookie/consent/GDPR-Compliance stuff without any third party tools because I never needed one. I knew cookiebot, but not XcooBee. Great to have such an alternative. Thanks!