tracker issue : CF-4057613

select a category, or use search below
(searches all categories and all time range)

CFID & CFTOKEN include "hash" prefix this is not compatible with previous versions

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/

Reporter/Name(from Bugbase): Mark Gaulin / Mark Gaulin (Mark Gaulin)

Created: 09/16/2015

Components: Core Runtime

Versions: 11.0

Failure Type: Data Loss

Found In Build/Fixed In Build: CF11_Final /

Priority/Frequency: Normal / Some users will encounter

Locale/System: ALL / Win 2008 Server

Vote Count: 1

Listed in the version 2016.0.0.297996 Issues Fixed doc
Verification notes: verified_fixed on August 05, 2017 using build 2016.0.01.298513
Related Bugs:
CF-4107152 - Similar to

Problem Description: CF11 (and at least some recent updates to CF10) include some kind of "hash" prefix in front of the values of the CFID & CFTOKEN cookies.  As far as I can tell, this change is not documented and cannot be disabled.  This change breaks session sharing between servers running different of CF and it seems to break things when the host name and/or cfapplication name changes. (Our testing did not nail this down.)

I would have expected a change like this to be 1) documented and 2) able to be disabled via a jvm.config argument

Steps to Reproduce:
Hit a CF11 site that is not using "Use UUID for cftoken"

Actual Result:

Expected Result:

Any Workarounds:

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	4057613

External Customer Info:
External Company:  
External Customer Name: Mark Gaulin
External Customer Email:



This new behavior may be fantastic for most people, and one day I may be ready to use this too, but this feature needs be configurable so that new CF10 updates are safe for us to apply.
Comment by External U.
5870 | September 16, 2015 08:42:12 AM GMT
FYI, my latest testing seems to indicate that the "hash" is based on the domain string that would be used if "set domain cookies" is enabled. It also looks like this hash is not included if set domain cookies is not enabled. If true, I would consider this to be good news for multi-server sites that want to share CF session cookies, but I would really love to see documentation that confirmed this to be the case, and that Adobe was committed to supporting that behavior officially. (I would still very much like to be able to disable this feature on a per-instance basis to allow us to roll CF updates across our web site clusters in a controlled manner.)
Comment by External U.
5871 | September 18, 2015 03:05:18 PM GMT
Same behaviour in CF 10 Update 18
Vote by External U.
5874 | November 30, 2015 10:09:31 AM GMT
Added a new JVM Argument coldfusion.cookie.prefixdomainhash and setting this argument value to false will disable the hash prefix. As Mark said this hash prefix enables us to share CF session cookies across multi-server sites (multiple sub domains) we will get this documented as well. And the JVM argument support will be available in the next update of CF10/11. Thanks, Pavan.
Comment by S V.
5872 | January 04, 2016 05:42:50 AM GMT
Hi Adobe, I've verified this is fixed in CF2016 Update 1 (build 2016.0.01.298513). Thanks!, -Aaron
Comment by Aaron N.
5873 | August 05, 2017 09:09:20 PM GMT