SetClientCookies=false per request

Dear all

One of the rules to responding to a xero webhook POST is there must not be any cookies in the header.

In 4.5 latest this is achievable by setting this.SetClientCookies=false in application.cfc but in terms of the rest of my application means my responder script must live under its own application.cfc which is not very convenient when it comes to actually doing something with the data received.

It occurred to me that it could be possible to have a switch in onRequestStart() of my normal application.cfc
if(this_is_a_xero_webhook_post) this.SetClientCookies=false;

and then reverse it in onRequestEnd()

but I didn’t try it yet:

  • when does onRequestEnd() fire? Before or after the actual response?
  • since I’m adjusting an application variable, I’d imagine there is a significant risk that other simultaneous requests might be returned without cookies which would not be desirable.

I’m not that keen to manually assign cfid & tftoken in all regular pages when lucee does it for me very nicely.

Does anyone have any ideas how I can do this?


btw I tried an outgoing rewrite rule which nicely blanks all Set-Cookie: values but xero still chokes on it; there seems to be no way of actually deleting the keys in a rewrite rule. (iis 8.5)

You should be able to add this condition earlier in your Application.cfc at the point where you are already setting setClientCookies. If using the Xero IP address for the test, you might try something like this:


component{ = "appName";
  // etc
  request.isFromXero = ( cgi.remote_addr == "[xero IP address]" );
  this.setClientCookies = request.isFromXero? false: true;
  // etc

No need to reset using onRequestEnd(), the decision is made afresh at the beginning of every request.

Great idea, I’ll try it. Thankyou!



@Julian_Halliwell is right. That should be set in the body of the Application.cfc component and not inside a function.

Another option is to disable the client cookies only in the scripts that require that. That can be done with using the <cfapplication> tag in those scripts. That would be in addition to your Application.cfc, not in its stead.

@Julian_Halliwell idea works perfectly, but adjusted a bit

    request.isFromXero =  find("xero_webhook.cfm",cgi.script_name);
  	this.setClientCookies = request.isFromXero? false: true;

simply because xero ip numbers change a lot but my target template is constant (no auth problem because a hash of the payload using a pre-defined secret must match a “x-xero-signature” header value).

I wasn’t aware @isapir idea was possible, so I tried it. Interesting idea but the effect (I think) is the same as having a template under it’s own application.cfc so of course possible to stop cookies in just that template but it also doesn’t have access to any application etc variables of the global app. which in my case was what I was trying to achieve.

Anyway, I am happy, so thankyou!



1 Like

why doesn’t cfcontent allow removing cookies? ie <cfcontent resetcookies="true">

The Servlet API (on which Lucee and ACF are built) does not expose a method for clearing previously set headers. We can, theoretically, add an internal array that would hold the headers and only pass them forward on the first response “commit”, but is it worth it?

1 Like

I reckon such per request control is good and avoids the need for all the old style cfml workarounds described above

being able to easily serve certain types of generated content without cookies would be very useful for leveraging upstream proxy servers

Personally, I’m not against that.

Feel free to open an Enhancement ticket in JIRA and we can discuss it and make a decision as to whether it makes sense to implement that or not.