One of the rules to responding to a xero webhook POST is there must not be any cookies in the header.
In 4.5 latest this is achievable by setting this.SetClientCookies=false in application.cfc but in terms of the rest of my application means my responder script must live under its own application.cfc which is not very convenient when it comes to actually doing something with the data received.
It occurred to me that it could be possible to have a switch in onRequestStart() of my normal application.cfc
if(this_is_a_xero_webhook_post) this.SetClientCookies=false;
and then reverse it in onRequestEnd()
but I didn’t try it yet:
when does onRequestEnd() fire? Before or after the actual response?
since I’m adjusting an application variable, I’d imagine there is a significant risk that other simultaneous requests might be returned without cookies which would not be desirable.
I’m not that keen to manually assign cfid & tftoken in all regular pages when lucee does it for me very nicely.
Does anyone have any ideas how I can do this?
thanks
Richard
btw I tried an outgoing rewrite rule which nicely blanks all Set-Cookie: values but xero still chokes on it; there seems to be no way of actually deleting the keys in a rewrite rule. (iis 8.5)
You should be able to add this condition earlier in your Application.cfc at the point where you are already setting setClientCookies. If using the Xero IP address for the test, you might try something like this:
@Julian_Halliwell is right. That should be set in the body of the Application.cfc component and not inside a function.
Another option is to disable the client cookies only in the scripts that require that. That can be done with using the <cfapplication> tag in those scripts. That would be in addition to your Application.cfc, not in its stead.
simply because xero ip numbers change a lot but my target template is constant (no auth problem because a hash of the payload using a pre-defined secret must match a “x-xero-signature” header value).
I wasn’t aware @isapir idea was possible, so I tried it. Interesting idea but the effect (I think) is the same as having a template under it’s own application.cfc so of course possible to stop cookies in just that template but it also doesn’t have access to any application etc variables of the global app. which in my case was what I was trying to achieve.
The Servlet API (on which Lucee and ACF are built) does not expose a method for clearing previously set headers. We can, theoretically, add an internal array that would hold the headers and only pass them forward on the first response “commit”, but is it worth it?