How to uncheck 'Disable updating ColdFusion internal cookies' programmatically - cookies

I have an application which is on a shared server. I am facing issues while setting the cookie. Here is the code:
<cfcookie name="CFID" value="#cfid_local#">
<cfcookie name="CFTOKEN" value="#cftoken_local#">
The error which I am getting is:
Failed to set cookie. ColdFusion is unable to add the cookie you
specified to the response.
To fix this issue, I need to Navigate to the "Memory Variables" page under the "Server Settings" menu. Un-Check "Disable updating ColdFusion internal cookies using ColdFusion tags/functions." and select the "Submit Changes" button.
But as my application is on shared server. This change cannot be made. Can any one let me know that how can I fix this programmatically?

Related

CF-2016 mappings doesn't find file from the specified location

I have migrated from ColdFusion 8 to Coldfusion 2016 and specified the path under CF Admin console. See picture. One of my file (login.cfm) is under /common directory outside webroot.
When I hit application url, first it finds index.cfm and then validate.cfm in which I am calling login.cfm using cfmodule. PLs check the lines of code here from validate.cfm.
<cftry>
<cfmodule template="/common/security/login.cfm"
login="#form.login#"
password="#form.password#"
returnvar="login_result">
<cfcatch>
<cf_error_logreg error="An error occurred checking for active PO in validate.cfm. Please report this error to #request.app.admin_email# immediately.">
<cfabort>
</cfcatch>
</cftry>
So it doesn't run the cfmodule and throws out of cftry block everytime when it finds some page from /common directory and shows the error message what is specified in cfcatch block. Which means it's not accessing the mappings which I have set in CF Admin console. Any idea?
I am using IIS as a web server.
Issue resolved. The mappings we did was right, but Application was failing to set the cookies. ColdFusion was unable to add the cookie we specified to the response. This is probably because we have used it to set one of the ColdFusion Session Cookies or Authentication cookie. I have fixed that.
To fix this, I logged in to Coldfusion Admin> Memory Variables and unchecked 'Disable updating Coldfusion internal cookies using Coldfusion tags/functions.'
Save settings and restarted the website. It worked.

Coldfusion same file different output on CF10 and CF11 using cfheader

I have this simple code in Coldfusion
<cfheader
statuscode="400"
statustext="There was something wrong with the request."
/>
<cfoutput>This is what I want to return as the output.</cfoutput>
<cfabort>
When I run this on my localhost running CF10, I get this output on my Chrome browser:
But when I run this same file on another server running CF11, I get this output:
Am I missing something? Is there some other way of doing this in CF11?
Any help would be really appreciated. Thanks.
The issue actually has nothing to do with ColdFusion, either 10 or 11.
By default, IIS shows not does not show the statustext portion of the error message; it only shows the statuscode number. This is a security feature to prevent data leakage. If you do want to show the statustext portion of the error message, that is called "Detailed Error Messages" in IIS.
Steps to enable Detailed Error Messages in IIS 7:
Open the IIS7 manager
Select the Website and on its features view, double click on "Error Pages".
Right click and select the "Edit Feature Settingsā€¦" or select the same from the Actions pane (in the right hand side)
Select the "Detailed errors" radio button and click on OK
Now, even your client browsers will be able to see the detailed error messages.
More information:
https://blogs.msdn.microsoft.com/rakkimk/2007/05/25/iis7-how-to-enable-the-detailed-error-messages-for-the-website-while-browsed-from-for-the-client-browsers/
https://www.iis.net/learn/troubleshoot/diagnosing-http-errors/how-to-use-http-detailed-errors-in-iis

Coldfusion 9 cfscript cfcookie and cookie (script style)

I am trying to set my cookie CFIDE and CFTOKEN to be HTTPOnly in Coldfusion 9...
Here is what I have tried (didn't error but didn't work):
cookie.CFID = "#session.cfid#,httpOnly='true'";
cookie.CFTOKEN = "#session.cftoken#,httpOnly='true'";
I also tried (no go...and no error):
cookie.CFID = "#session.cfid#;httpOnly='true'";
cookie.CFTOKEN = "#session.cftoken#;httpOnly='true'";
And this (which I think only works in CF10):
cookie.CFID = {value="#session.cfid#", httpOnly="true"};
cookie.CFTOKEN = {value="#session.cftoken#", httpOnly="true"};
Then this (didn't error but didn't work):
cookie( name="CFID" value="#session.cfid#" httpOnly="true" );
cookie( name="CFTOKEN" value="#session.cftoken#" httpOnly="true" );
When I run these I do a empty cache hard reload in Chrome. When the page reloads I should see the Resources Cookies HTTPOnly column show check boxes.
I'm probably exhausted and could have hit the right combo of things above and I got a false positive on failure from jumping around too much. Sometimes cached things get the best of me.
I have the CFML container style that works but my Application.cfc is all script style and I want to keep it that way...So how do I do this script style in Coldfusion 9?
Update for my fix:
I used the getPageContex() below, but it didn't work as it was. Also onSessionStart() event handler changed to create the session.CFID and session.CFTOKEN with the CreateUUID() which is also new in my Application.cfc file. So for posterity here is what that block of code looks like.
function onSessionStart(){
getPageContext().getResponse().addHeader("Set-Cookie", "CFID=#session.CFID#;path=/;HTTPOnly");
getPageContext().getResponse().addHeader("Set-Cookie", "CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly");
}
Another Note: For some reason if the session is cleared and the onsessionstart() handler is requested this set cookie stuff above will fail. There has to be a try catch block or exception handling of some sort added to account for a reload problem. The best thing is to upgrade to a patched up release of Coldfusion 10 (or soon to be released CF 11).
You can use the PageContext object to set cookies in cfscript:
getPageContext().getResponse().addHeader("Set-Cookie", "CFID=#session.CFID#;path=/;HTTPOnly");
getPageContext().getResponse().addHeader("Set-Cookie", "CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly");
For session cookies, there's an easier way.
Enabling server-wide HttpOnly session cookies
The ColdFusion 9.0.1 update added a server-wide setting to add the
httponly attribute to all session cookies created by ColdFusion (such
as the CFID and CFTOKEN cookies, or the JSESSIONID cookie on JRun). To
enable this setting, if you are running a JRun J2EE installation or
multi-server installation, you must edit jvm.config, otherwise you can
enable this setting from the CF Administrator. If you are running a
J2EE server other than JRun consult your documentation for an
appropriate setting. J2EE servers that support the Servlet 3.0
specification can specify
true
in the /WEB-INF/web.xml file.
http://www.adobe.com/devnet/coldfusion/articles/coldfusion-securing-apps.html
You can use this code in your application.cfc inside of the onsessionstart function.
<cfcookie name="CFID" value="#session.cfid#" httponly="true">
<cfcookie name="CFTOKEN" value="#session.cftoken#" httponly="true">
There is no way of setting this inside of cfscripts. cfcookie is not supported in script form in cf9. There are flags in the application settings added to CF10 to address this issue, however, CF11 will have full support for it inside of scripts. Unfortunately, I think you will have to forego the uniform code for functionality. Unless you have access to your CFIDE/Administrator. You can add a java argument to turn it on server wide. Add this to your JVM config
-Dcoldfusion.sessioncookie.httponly=true
All of this is detailed here http://www.petefreitag.com/item/764.cfm

IE11 does not send session cookie when a link targeting a new tab is clicked (on first request)

I am having some trouble holding onto session when opening an initial new tab (target _blank) from IE11.
When I close all instances of IE11 and then open a fresh browser and navigate to the test webpage (default.aspx) the page stores a value in session and displays the session ID on the page. If I refresh the page the session ID stays the same. The page has a link to itself (default.aspx) with a target of _blank. If I click this link a new tab is opened, but the session ID is different. If I then refresh the original window the session ID now matches the new window.
<%# Page Language="C#" AutoEventWireup="true" Inherits="System.Web.UI.Page" %>
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title></title>
</head>
<body>
<% Session["StoredValue"]="Test"; %>
<div>SessionID: <%=Session.SessionID%></div>
New Window
3rd Party Window
</body>
</html>
It appears this problem only occurs for the first window on the same domain opened in a new tab (I have verified the problem with both target="_blank" and by holding CTRL while clicking the link).
When I watch the cookie traffic with Fiddler I can see that the
session cookie is sent normally in the initial request from
default.aspx. When I click the link to open the page in a new tab
the session cookie is not being sent in the request headers.
If I restart the browser, go to the test page, open a new tab
manually and paste the link destination into it the cookie is sent
correctly in the request headers and the session from the new tab
matches the original tab as expected.
If I restart the browser, go to the test page, open google from a
link targeting _blank in the test page, and then click the link
opening the test page in a new tab the cookie is also sent correctly
in the request headers and the session from the new window matches
the original window as expected.
I believe this to be a client side issue but the site is running from Windows Server Standard 2008 R2 SP 1 in a 4.0 Integrated website with .NET 4.51 installed (also tried with only 4.5 installed).
The client is Windows 7 64-bit running IE11 (11.0.9600.16476). I have verified the problem on other machines running Windows 7 from IE11 and confirmed that it is not a problem in IE10 from Windows 8 in desktop mode. Everything works as expected in Chrome and Firefox.
I have verified the problem persists even if I:
Move security from Medium High to Medium
Disable Protected Mode
Change privacy to Accept all Cookies
Add the site to either the Local Intranet or Trusted Sites zone website list
Set a P3P compact privacy policy in the response headers stating no information is collected or used.
Set a P3P compact privacy policy in the response headers that would typically be accepted to allow 3rd party cookies within an iframe in past versions of IE.
Change the website ASP.NET session state settings to cookieless="UseCookies" or "false" or remove the attribute altogether (ASP.NET State Server).
Any ideas? Has anyone else seen this issue or similar?
This is an active bug according to microsoft. There is apparently no server-side way to fix this.
Link to bug report
Not a solution, but a clue:
We noticed similar behavior and tracked it down to requests to root/browserconfig.xml causing user to become unauthenticated. Server sent a new session cookie because Windows was not sending the existing one. Subsequent requests then sent the new session cookie value. We changed our server to look for this request and not set response cookies.
This is not a solution, but:
Try middle click instead. If that works for you 100% of the time(it did for me)
js: links with target='_blank' on ie remove defaultBehaviour and trigger middle click.
Problem solved.
Same issue coming for my login,But we tried it to resolve it by changing some setting in IE11 or other problematic browsers.
Goto tools=> Internet options=> Privacy
There click on Sites button. There add mydomain.com & click on Allow button.
Restart your browser.

ColdFusion9 session variables randomly clear

I have an application that keeps giving me Variable undefined in session. This happens randomly. I can click on a page and get the error, log out and then back in and click on the same page and don't get the error, click three more pages fine, then click another page and get the error again. I have not found any rhyme or reason to it. In my application.cfm I have:
<cfset SessionTimeout = CreateTimeSpan(0, 2, 0, 0)>
<cfset LoginTimeout = 7200>
<cfapplication name="redbook"
clientmanagement="Yes"
sessionmanagement="Yes"
setclientcookies="Yes"
clientstorage="cookie"
sessionTimeout = #SessionTimeout#>
In looking at a proxy debugger, I can see all my session variables declared on the page before it errors. On the next page (when it errors) the only session variables I see are:
cfid, cftoken, sessionid, urltoken
Has anyone else experienced this?
I am running Coldfusion Version 9.0.2.282541 on Windows Server 2008 R2.
Please let me know if you need any more details.
The issue was the load balancing. As it went from page to page, it sometimes switched servers, clearing out the session variables.