tracker issue : CF-3989753

select a category, or use search below
(searches all categories and all time range)

<cfparam> sends a cookie

| View in Tracker

Status/Resolution/Reason: Closed/Withdrawn/NotABug

Reporter/Name(from Bugbase): e-domizil License Team / e-domizil License Team (Alexander Hass)

Created: 05/18/2015

Components: General Server

Versions: 10.0

Failure Type: Non Functioning

Found In Build/Fixed In Build: Final /

Priority/Frequency: Critical / All users will encounter

Locale/System: English / Win 2008 Server R2 64 bit

Vote Count: 0

Problem Description:
This seems to be a regression from CF8.

We expect that cfparam prevents from undefined variables inside our coldfusion code, but not that cfparam trying and failing of doing the job of “cfcookie”. The problem we experience is that we normally set a domain cookie with cfcookie named PARTNERID with domain “”. This comes back from the client and we need to read “cookie.partnerid” only, but if there is none defined, the PARTNERID cookie must not be send with a invalid domain “” back to the client with an empty default value.

Steps to Reproduce:
Run the attached "cfparam.cfm"

Actual Result:
cookie.partnerid is send my "cfparam"

Expected Result:
cookie.partnerid is NOT send my "cfparam" any only by "cfcookie"

Any Workarounds:

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	3989753

External Customer Info:
External Company:  
External Customer Name: E
External Customer Email:  
External Test Config: My Hardware and Environment details:

- Windows 2008 R2, IIS, CF Updater 16

- Windows 2012, IIS, CF Updater 16


  1. May 18, 2015 00:00:00: 1_cfparam.cfm


Using ColdFusion 8, 9 & 10, <CFPARAM> creates a session cookie for the CGI.Server_Name & default path "/" if it doesn't already exist. I'm not sure how this behavior differs from ColdFusion 8, 9 or 10 as I see the same client cookie behavior results when using dev tools. ColdFusion is not able to identify a cookie's domains, path or expires date. Your browser determines what it can send back to the server and ColdFusion only has access to an upper-cased cookie's NAME & VALUE properties. (I've encountered issues when attempting to sanitize and update a cookie's value was resulting in multiple unique session cookies with duplicate names being created for different unique paths.) You may want to use isDefined("cookie.partnerid") or StructKeyExists(cookie, "partnerid") instead of CFPARAM.
Comment by External U.
7413 | May 18, 2015 03:47:17 PM GMT
I'm not asking for workarounds. cfparam has a changed behavior and it looks not correct what it does there as cfparam is made to prevent from undefined variables in CF code like "var $foo" in javascript. It is unexpected and a malfunction that a cookie is send. Cookies should only be send by cfcookie. We know that our code worked well in past with CF8 and is failing with CF10 now.
Comment by External U.
7414 | May 19, 2015 10:37:32 AM GMT
Believing that cookies can only be created in ColdFusion 8 by using CFCookie is a false assumption. I used your vanilla CFM script <cfparam name="cookie.partnerid" default="123456000000"> to a ColdFusion 8 server and it generated a session-based cookie on page load. ColdFusion 9, 10 & 11 do the same thing. Cookies in ColdFusion 8 (and 9, 10 & 11) can be assigned multiple ways. Try this using ColdFusion 8. I verified that 7 cookies were created and delivered to my browser using client-side web developer tools. (NOTE: Set-Cookie isn't accessible to ColdFusion until a subsequent page load.) <cfset cookie.test1 = "test1"> <cfset cookie["test2"] = "test2"> <cfset "cookie.test3" = "test3"> <cfheader name="Set-Cookie" value="TEST4=test4"> <cfset structinsert(cookie, "test5", "test5")> <cfset setvariable("cookie.test6", "test6")> <cfparam name="cookie.test7" default="test7"> <cfoutput> <cfloop from="1" to="7" index="thisCookie"> "test#thisCookie#" = #YesNoFormat(isDefined("cookie.test#thisCookie#"))#<br> </cfloop> </cfoutput>
Comment by External U.
7415 | May 19, 2015 01:31:50 PM GMT
I just ran the test script (generating 7 cookies) using ColdFusion 5 and all 7 cookies were generated. So ColdFusion 5 appears to be functioning just like ColdFusion 8, 9, 10 & 11. (NOTE: I'm using Windows & IIS 6.5/7 too.)
Comment by External U.
7416 | May 19, 2015 01:36:47 PM GMT
Sorry mate, your expectations are off, and your assertion that any behaviour here has changed is also off, as James says (and I've just confirmed as far back as CF5). Writing to the cookie scope *intrinsically* will cause the appropriate cookie to be sent to the browser with the response. This is how cookies work in CFML. Always have. Not a bug. -- Adam
Comment by External U.
7417 | June 02, 2015 04:25:01 PM GMT
Have tried to repro the issue in previous versions and the behavior seems to be the same on them too. This is an expected behavior. Please do let us know if you have any other concerns. Thanks!
Comment by S P.
7418 | June 05, 2015 04:05:34 AM GMT
Since there has been no response, closing the bug for now. If you still have some concerns regarding the same, do let us know, the bug will be reopened. Thanks!
Comment by S P.
7419 | August 25, 2015 01:27:28 AM GMT